The Security Catalyst

As the Privacy Director for the Liberty Coalition, I have discovered and documented roughly 100 breaches on our website, SSNBreach.org. There, any member of the public can search for his or her name to find out whether their personal information was exposed, under what conditions, and who’s responsible. The vast majority of these breaches are unintentional. Except breaches by criminal ID theft rings, most breaches are due to ignorance, recklessness or plain stupidity, but not maliciousness.

Inside the Breach

I recently announced such a breach by East Burke High School in the small North Carolina town of Connelly Springs. In short, a staff member had placed personal information online for more than five years. The victims included 163 teachers, bus drivers, custodians, and others who worked at East Burke High School in 2003. The information exposed included names, social security numbers, addresses, phone numbers, job titles, e-mail addresses, and a few unlisted phone numbers.

I notified the school, which removed the file within 20 minutes, and also worked to clear search engine caches. I then worked directly with the Superintendent, David Burleson, who asked for my help drafting a letter to victims, which I was happy to do. As I drafted the letter I put factual assumptions in [brackets], and for the sake of expediency omitted some of the instructions, replacing them with asterisks. I handed him the letter and said told him to review it for factual accuracy and run it by his legal counsel. In addition to the brackets and asterisks, my draft of the letter committed the school district to do five things, including contracting with an identity theft protection company to provide free credit protection services to victims.

Days after I sent the letter to the school district, the Hickory Record ran a copy of the letter as sent by the school district, and I had to chuckle when I saw all of my brackets and asterisks still in the final copy. For example, “As of now, [we don't have any evidence that anyone with bad intentions has seen your personal information].” I also wanted their general counsel to confirm whether North Carolina allowed for credit freezes. The final copy encourages victims to get a credit freeze, with a note to the general counsel: “[Note: Not all states allow a credit freeze].” And this omission for sake of expediency, “visit www.ftc.gov, and click on “***” for more information.” The Hickory Record has since done some copy editing on behalf of the school district, and edited out the brackets.

Therefore, What?

Now in their defense, I’ve got to give the school district credit for making a good faith effort to notify their employees of the breach. And I can’t be too critical of their failure to edit the letter, especially in a small school district with limited resources.

On the other hand, it turns out they did edit the letter. The school district conveniently removed the promise to provide identity theft protection services to victims. This selective editing is symptomatic of systemic problems with protecting consumer privacy:

• The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. This means that there is a strong financial incentive to do as little as possible to prevent, announce, or clean up a breach. The result is victims often don’t get all of the facts or protections they need.
• The fox is guarding the hen house. A cruel irony of data breaches is that the responsible organization has a strong incentive to hide or skew the details. Many breaches are under-reported or unreported, regardless of applicable law. With very few exceptions, even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark.
• Privacy Naivety. If you have ever asked customer service, “does your organization ever share my personal information with other organizations,” the answer is always (and incorrectly) “no.” Unfortunately, consumers incorrectly assume that laws and privacy policies protect their personal information. Employees incorrectly assume that their privacy practices are sound, while company policies often amount to little more than a privacy waiver. An environment of naivety breeds carelessness and increases the risk of breaches.

Consumers should always read breach announcements with a skeptical eye, and press the breaching organization for as much detail as possible.

If you enjoyed this post, make sure you subscribe to my RSS feed!

The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved.

With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information.

This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name).

Learn more about the participants:

Jennifer Leggio

http://blogs.zdnet.com/feeds/

http://mediaphyter.wordpress.com/

http://twitter.com/mediaphyter

Martin McKeay

http://www.mckeay.net/

http://netsecpodcast.com/

http://twitter.com/mckeay

Michael Santarcangelo

http://www.securitycatalyst.com/

http://www.intothebreach.com/ (books now available – eBook or hardcover)

http://twitter.com/catalyst

 

 Standard Podcast [40:29m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

After a great time at the Microsoft Small Business Summit, I flew home only to spend 5 hours on delay in the Newark airport. I was fine, but was missing the RV! Well, we got the RV back on Friday, loaded it up and headed out on Saturday. We arrived Sunday night in Kansas City - and I was honored to the deliver the keynote for the Midwest Consolidated Security Forum today. It was a blast to see some old friends while making new ones, too.

Due to popular demand - James Costello and I will be hosting a session tomorrow on how to build an awareness program that works, based on our Pop Culture Security program (and yes, I am WAAAAY late on posting our next episode. I blame the thieves - and am almost caught up). Join us if you can! Thursday I am honored to be invited to the CCKC event - 7pm local time. It’s a busy week.

Next Stop? Seattle! I will be leading a session at the Secure World Seattle event — and hoping to meet many of the Security Twits and good friends in the area. Will be my first Halloween in Seattle - and we’re looking forward to it!

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

• Securing road warriors Hotspot usage
• Snort Win32
• OWASP EU Summit 2008
• RSA Europe
• Favorite Podcasts OUTSIDE of Security and Technology

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts - let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Coming Up:

• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle - Secure World Seattle (look for more details coming soon)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro - CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

http://www.linkedin.com/groups?gid=27010

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Adam Dodge

This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.

That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of - let’s call it crud - crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.

So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.

One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.

However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.

Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.

The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.

So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Joe Coates

Picture this.  You get on the elevator and realize you are alone with the CEO of your organization.  He looks at you and says, “Tell me in 25 words or less what you do and why it is important to this company.”

What would you say?  Do you have an answer prepared?  Does your answer have words like “synergize” or “leverage” or other corporate vision-speak that means next to nothing?

As the current financial credit crisis spreads across the globe, it is imperative to your career that you give serious thought to crafting a Personal Unique Selling Proposition (USP) for your job.

So what’s a USP?  The term was coined by an advertising and marketing heavy weight named Rosser Reeves in his 1961 book Reality In Advertising.  I believe the idea was best described by Dan Kennedy.  He says your USP needs to communicate to your audience why they should choose you over all their other alternatives, including doing nothing.  So from a Personal USP perspective, think about why your organization should choose you, above all other alternatives, to deliver the results you are expected to deliver.

 Probably the most famous USP in recent history is Domino’s classic “Fresh, hot pizza delivered in 30 minutes or less, guaranteed.”  Domino’s chose to focus on their ability to get the pizza to their customers hot and in a half hour or less.  They never claimed the pizza would be any good.   And thanks to that USP, they sold a lot of pizzas that were not very good.  But they were hot, and they came pretty quick, and you didn’t have to go get ‘em. 

Michael Santarcangelo’s USP for his terrific book Into The Breach is his approach to protecting information by educating actual living, breathing, thinking human beings on how to consciously protect information.  So while the market is preaching from the gospel of “Technology Will Save You”, Michael’s approach is to say technology is necessary and useful, but ultimately not enough if the people responsible for protecting information aren’t aware of the potential effects of their actions.

So how can you create a personal USP?    This is a great mind mapping exercise.  Start by plotting out what you are responsible for, and how that impacts the organization you work in.  What organizations do you directly touch.  What financial impact your work has on the organization.  What would happen if your role was eliminated.

Take your time with this.  It is well worth the effort.  So much of the marketing we are exposed to on a minute by minute basis is focused on being cute and clever, not on delivering an impactful statement on what makes the product or service unique.  For inspiration take a good look around at Michael’s   Security Catalyst website and see how his positioning is so different from the rest of the IT security consulting marketplace.  Then, for the rest of the day really ponder the ads, power point presentations (UGH!), radio spots and TV commercials and notice if any of them communicate a unique message about what they are selling.  My guess is you’ll find less than 10% do.  More likely less than 5%.

In closing, remember what Thomas Edison said. Opportunity is missed because it is dressed in overalls and looks like work.  Do the hard work to develop your Personal USP.  Then deliver on it and see the difference it makes in your career.  

If you enjoyed this post, make sure you subscribe to my RSS feed!

While in Kansas City next week, I have been invited (Thanks Ax0n!) to the Cowtown Computer Congress - and look forward to a relaxing - and engaging evening. If you are in or near the Kansas City area, I hope you make the time to come and spend time with other passionate professionals.

More details here: http://www.h-i-r.net/2008/10/catalyst-on-tour-michael-santarcangelo.html

If you enjoyed this post, make sure you subscribe to my RSS feed!

Into the Breach is currently available in hardcover edition - and can be purchased directly from the intothebreach.com website, amazon.com and your favorite bookseller. Walking through the airport(s) today, I realized this is a book designed for reading on an airplane (but I digress…)

I previously announced that a Kindle version is available on amazon.com. While I am working on the audio book edition, we took a different approach with the eBook version. The content is the same, but we engaged Designs by Reese (who did a fabulous job!) to convert the words into a design that worked easier for reading on the screen, or for printing and making notes.  By literally designing the eBook, we were able to use landscape mode, left plenty of whitespace and chose fonts to make it easy to read and follow along.

I am pleased to announce the eBook version is ready to share!

The ordering mechanism is just about completed, so to celebrate the eBook and our relaunch of Catalyst onTour, I am going to offer free copies of the Into the Breach eBook to my fellow catalysts connected to me through LinkedIn. I anticipate sending out the codes at the end of the week.

The book is, of course, for sale - and when you visit intothebreach.com, you will also be able to select a hand-signed edition - personalized - for you at no additional charge. But if you want to get a copy of the eBook for no charge and with no strings attached, then we need to be connected.

Why LinkedIn?

Why not? Seriously, though, the goal of the book is to help solve problems. Catalyst onTour is about bringing an optimistic message, proven approach and support necessary for introducing change around North America (of course, we’re happy to travel the world, too). I see LinkedIn as a viable way to build connections and improve how I am able to help others. Throughout our travels, we hope to leverage linkedin to meet up with friends, meet new people and keep connected.

Connect with me on LinkedIn

Connecting to me is easy - my public profile is here: http://www.linkedin.com/in/securitycatalyst

And if you want to send an email to connect us, feel free to us my securitycatalyst at gmail address and we’ll be connected! In addition to the eBook codes (and trip update) I’ll be sharing later this week, do not hesitate to contact me if I can help you in personal or professional ways.

I look forward to journeying Into the Breach with you and changing the way people protect information.

If you enjoyed this post, make sure you subscribe to my RSS feed!

It is with excitement that I board an airplane this morning bound for Redmond, Washington. I am participating in the Microsoft Small Business Summit – speaking on not only the protection of information, but also how the return to fundamentals outlined in Into the Breach allows companies to improve profits and reduce spending. We all know making or saving money while improving how information is protected is essential these days – and I am excited and honored to share my research and insights with those who tune in. 

Please make some time tomorrow (Wednesday) to join me live! 

http://www.microsoft.com/smallbusiness/summit/

When I get back on Thursday, we load up the RV and head back out onTour – next stop, Kansas City. Let’s make some time to meet up while I am there. Plans are in the works, with more details to follow soon.

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

• OPSEC for Out of Office Replies…
• Looking for an Online Writing Course
• Google Localisation Settings Break Link to Reader from GMail
• How to proof a 40-bit SSL certificate is not strong enough
• Getting SAM Database 

Upcoming Places to Meet (and interesting Off-topic conversations)

• Midwest Consolidated Security Forum
• RSA Europe
• Information Security Decisions 08 Nov 4 - 6, 2008
• Favorite Podcasts OUTSIDE of Security and Technology

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Here are some recent blog posts from Community Members that you may have missed:

•  Secure Software is Sexy
• Chip-and-PIN Not the Answer (Again!)
• Symantec’s vision… 

About the Security Catalyst Community

 We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

 Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out – and amazingly, don’t really miss a beat!

• Week of October 13: Seattle for the MSFT Small Business Summit http://www.microsoft.com/smallbusiness/summit/
• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle – Secure World Seattle (look for more details coming soon)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro – CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

http://www.linkedin.com/groups?gid=27010

If you enjoyed this post, make sure you subscribe to my RSS feed!

I am honored to be a speaker on protecting information for the Microsoft Small Business Summit on Wednesday. I fly out to Redmond on Tuesday morning - and have my moments during the day on Wednesday.

You can follow along live! At this link:

http://www.microsoft.com/smallbusiness/summit/

I am a day 2 speaker - with an impressive lineup of guests:

http://www.microsoft.com/smallbusiness/summit/guests.aspx

This is a live program, but I have been working with the producers for a few weeks now - and I am excited about the questions, thought process and opportunity to share some different thinking about what businesses need to do to protect them. More, we’re also going to explore how the right approach to protecting your business can actually save money and increase the opportunity for more revenue (as outlined in Into the Breach). To me, that’s a really cool conversation.

I hope you check it out. I look forward to the opportunity continue to conversations through this blog, the podcast(s) and as we fire up the diesel and head out on the road again (Friday - next stop, Kansas City!).

If you enjoyed this post, make sure you subscribe to my RSS feed!

If you have heard me speak publicly, you know I advocate that the role of a security professional is to make it easier for others to do their jobs - while protecting information.

To be clear, this does not diminish network security, network operations or anything of the sort. That directly supports my point: done properly, the network operates in a way that does not impose a burden on users.

While at the “Apple Festival” last weekend, we took time to visit one of my favorite exhibits - a museum of working, but retired, farm equipment. Much of it is from turn of the century through the 1960s. Some of the equipment was routinely used in the act of farming and other support roles until the 1980s and 1990s.

I can’t explain why, but I have always been drawn to pickup trucks, tractors and flashlights. So to see a working series of tractors far older than I is simply amazing. As a kinesthetic learner, I am immediate transported back in time - and allow myself to be fully absorbed in the moment. I love learning. Period. But I really love learning about history - and specifically how improvements shifted the way things were done.

That brings us back to security. I have a sense that many organizations have lost sight of what they do, what they provide. The recent break-in and burglary of our RV put us in contact with a lot of different organizations. The responses have been interesting- and illuminating. And when the emotion has had a chance to subside a bit, I’ll post a transparent account of what we learned. What I can share today is that many organizations have lost a sense of who they are, what they do and who they serve.

But it is not too late!

Last Sunday, I watched simple -yet powerful and impressive — machines in action. What struck me most was the fact these machines were designed and used to make it easier for people (farmers, in this case) to do their jobs. It allowed them to do more with less, expand their farms, provide for more people or make more money with the resources they had. These simple machines (especially by today’s standards) were powered independently, easy to understand, use and repair. Did I mention they still work?

In fact, these machines were so simple that my five year old could quickly and easily understand what they were, what they did and how they worked. Can you say the same about the way information is protected in your organization?

The more we travel, the more I meet with people who explain their elegant laptop encryption solutions, extravagant VPNs and others measures to protect information. But when I have the opportunity to work with the people upon whom these ‘solutions’ are inflicted, I find that the solutions were not designed and implemented with people in mind; as a result, it actually makes it harder for people to do their jobs. This brings the unintended consequence of further disconnecting people from their responsibility to protect information - and ultimately creates more risk that is more difficult to assess, measure and manage.

I wrote Into the Breach to present a straightforward solution that any organization can use to make an immediate difference in the way people protect information. We are launching the Protecting Information Program to provide the additional guidance, insight and accountability people need to make the shift. I look forward to the opportunity to meet and support your efforts to make the change and join me in the challenge to change the way people protect information.

Until then, when you can, go check out some old farm equipment - and notice how it made it easier for people to do their jobs. Then ask yourself a simple question: is the solution I am working on going to make it easier for people to do their jobs?

If you enjoyed this post, make sure you subscribe to my RSS feed!