The Security Catalyst

After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers. Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) — but it rather than building on the wheel, it often reinvents the wheel.

Note: this can be easily tested. With the new awareness of the trend, look for it during a meeting, workshop or even in the stream of answers given on a mailing list of professionals. In most cases there will be a flood of answers that *seem* correct, but lack references or links. While this is not always a bad thing, it often leads to confusion and complication.

While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most “security” professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better).

This is an inherent challenge –- and benefit –- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better).

In order to prevent the unnecessary reinvention of what already exists — and use time and resources to get better results — it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it):

1 - “Truthiness” Strikes Again!
If you have not (yet) watched The Colbert Report, “truthiness” is the term he coined, defined as:

“things that a person claims to know intuitively or ”from the gut“ without regard to evidence, logic, intellectual examination, or facts.” [http://en.wikipedia.org/wiki/Truthiness -- this is entirely worth the quick read and consideration]

There is too much “truthiness” in security today — inherent in the myriad of certifications, frameworks and solutions — and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others.

The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be “right.” Just because someone “claims it so” doesn’t make it true (even if it is written on the Internet).

Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of “fact”, but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 - hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result.

(Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if you’re not reading this regularly, you should consider it)

2 - Failure to Focus on Fundamentals
The value of pulling together a team of professionals lies in their collective experience. These experiences inform opinions that are important when used to explore or contrast fundamental concepts. The challenge is ensuring the opinions are couched properly and tied back to the appropriate fundamental concepts. All-to-often, fundamentals — which take time to review, distill and cite — are left by the wayside. People accept “close enough” as being “good enough,” when, in fact, it is not (well, except for horse shoes and hand grenades).

Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept “close enough” and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress.

Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion.

3 - group think prevails

“Groupthink is a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas. During groupthink, members of the group avoid promoting viewpoints outside the comfort zone of consensus thinking. A variety of motives for this may exist such as a desire to avoid being seen as foolish, or a desire to avoid embarrassing or angering other members of the group. Groupthink may cause groups to make hasty, irrational decisions, where individual doubts are set aside, for fear of upsetting the group’s balance.” [http://en.wikipedia.org/wiki/Groupthink]

Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively.

This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied - it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results.

Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners).

Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed.

Your New Wheel (wait, did you want a new wheel?)
What about personal pride and taking ownership of the solution?

While “ownership” is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions “not made here” (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in.

How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.

Technorati Tags: catalyst, comptia, fundamentals, groupthink, into the breach, trustmark, truthiness

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 

 Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download (122)

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download (101)

Special Segment by Brad Montgomery

Brad is a friend of mine who had worked to improve my ability to use humor. He’s witty, funny and nice. As a “corporate comedian” he always cracks me up - so I asked him for some advice on how to use what he knows to ease some stress and improve the workplace, and he agreed. Here is what he shared! — Michael

I love office harmless, victimless office pranks. Before I give you a couple cool pranks you can do today, let me tell you why I love them.

Practical jokes are fun, create fun, and inspire fun. When I talk to my clients about boosting humor in their workplace (which increases productivity, improves morale, and aids with employee recruitment and retention), one of the main points I teach is that humor doesn’t start spontaneously. It’s not like a lightning strike. It has to be created, nurtured, and fed.

If your goal is to LEAD the way to humor, the single best way to create an environment conducive to fun is to demonstrate an appreciation for humor yourself. In other words, if you want to have more fun at work, you don’t have to be able to tell jokes, wear clown shoes, or crack wise during meetings. (Though if those things float your boat, go for it!) Instead, show appreciation for a good joke or prank, and laugh at other people’s wise cracks.

Guess what happens when you demonstrate this appreciation of humor? You’ll hear more jokes, you’ll see (and fall victim to) more pranks, and you’ll be entertained by wise cracks. See the brilliance? In order to lead the way to more humor at work, you don’t have to be funny at all. All you have to do is DEMONSTRATE that you like it when other people are funny.

Ok… this is where pranks come in. When you pull a prank, you’re shouting to the world, “Take me on! I love to laugh! Go for it!” And lucky you … your people will listen.

So, how ‘bout a couple of easy, victimless won’t get you sent to the HR department pranks you can execute today? Easy. Here are three:

• Use tape loops to tape your workmate’s telephone receiver to their phone. (So when they try to answer the phone they can’t “pick up.”
• Put a small piece of tape over the laser on the bottom of somebody’s mouse. It will simulate a broken mouse.
• Change the height of a workmate’s desk chair. Do this one time and it’s funny. Do this twelve times over the course of two weeks, it’s hilarious.

Now all you have to do is to laugh. Smile. And wait for the joy — and pranks — to come back to you. And they will.

Good for you… now you’re doing your part to Lead the Way to Laughter.

==
Brad Montgomery is a motivational humorist speaker, author, and facilitator. He works with groups who want to laugh-out-loud while learning how to make their workplaces more fun. You can reach Brad at BradMontgomery.com and read his latest rants and ideas at his blog: Bradlaughs.com

This is the second part of our three-part guest series with Scott Wright, discussing the motivation, ideas and findings of the newly launched Honey Stick Project. — Michael

By Scott Wright

The basic concept of the project’s initial phase (called Stream 0) was to drop USB drives loaded with files that contained HTML links to files on a website. When each file was opened by double-clicking, the native application (e.g. default browser, MS Word or Adobe Acrobat) would launch and try to load a referenced file automatically. All of the links contained on each USB drive would include a unique ID number, so I could identify which device was being used when the HTTP requests were logged at the website.

There was certainly a temptation to gather the IP addresses of the hosts from which devices were being accessed, primarily to identify the organization that owned the IP address space by doing reverse DNS lookups. However, the only value I could see in doing this was to identify organizations that might benefit from security awareness training to teach their staff about these risks. While this might be a source of leads for my business, I felt that using the information in this way would probably put the organization on the defensive in any sales call I could imagine.

“Hi Mr. CSO. I’m calling to let you know that one of your staff picked up a Honey Stick and used it from within your network.” Responses I expect might range from, “Go away, you pervert! You don’t know anything about my network, so stop following my staff around.” to “So what? I have more important things to worry about, like the auditor waiting for me in the President’s office.”

Consequences, Considerations and Responsible Handling
I was also concerned about the potential worst-case consequences of the requests being made without the user’s consent (regardless of the fact that the device they were using was clearly not their own). What those consequences might be, I was not quite sure. However, if somebody were to get fired from their job because they were found to be using unauthorized devices on their employer’s networks, I did not want there to be any uncertainty about the liabilities. So, I started drafting a paper to describe the scenarios related to data collection through “Trackable Content” on devices deliberately meant to be “found” and used. This paper is now posted on the Honey Stick Website at White Paper on Privacy Considerations for Trackable Content on Mobile Storage Devices.

In the paper, I describe the basic scenarios where different types of content could be placed on Honey Sticks (both for research and for active attacks such as something I called “Stick Phishing”). I also described what I felt to be the best approaches to deploying Honey Sticks safely for legitimate purposes, as well as safeguards that individuals could use to render these initiatives ineffective. After all, the intent was to educate people on the risks around using unknown devices. The feedback from reviews of the paper were very helpful, and led me to the decision not to capture IP addresses at all, as they could be seen as being used for profiling or targeting people. The related privacy issue really depends on how you use IP addresses. So, once again I tried to steer clear of any grey areas to keep the experiment safe for everyone.

Finally, I was confident enough in the concept to start creating a file set and website that would support the experiment. In Stream 0, all the files are identical, with the exception of the parameters in the URLs that reference the website. I am keeping the exact filenames, content and websites confidential, since the experiment is ongoing, and I want to avoid having somebody in the lunatic fringe trying to skew the results.

While most of the files have meaningful filenames, and some have meaningful text links within them, the only content that is meaningful to the user is contained in two of the files. One file briefly explains the Honey Stick Project, and offers the user the chance to indicate whether they plan to: (1) discard the device, (2) keep the device, (3) redeploy the device, or (4) return the device. By clicking on a link in the file, a request gets logged with a unique URL. The other file is a plain text file called “owner_contact_info.txt”. This file contains information about how to contact me in several ways, in case the user decides to take action to return it. (Don’t laugh, it has already happened more than once…) There is also a website reference to the Honey Stick Project for more information.

Device Selection
The devices I’m using are the cheapest USB drives available; currently between 256MB and 1GB, and costing between $6 and $8 Canadian from large retailers. As you can see by visiting the “Stream 0 Results” page of the Honey Stick Project website, I’ve been leaving them in various publicly accessible locations, including coffee shops, libraries, hospitals, office buildings, hotels, recreation centers, etc. So far, I have not been putting any labels on the devices, except for some chicken scratches that mean something to me, but could easily appear to be normal wear and tear to the Finder.

It turns out that the exact location within each site can cause a difference in response rates. For quick response, I want people to pick them up and be able to get to a connected computer as soon as possible. In many retail product and service companies, it’s too easy for people to turn them in to a cashier or desk and have them sit in a “lost and found” for several weeks, or longer. Phone stalls, washrooms and elevators seem to be good for having them picked up almost immediately. So, Stream 0 is helping me learn about these subtleties. Perhaps I’ll be able to target specific types of locations that will allow me to get higher response rates in future.

Budgeting
As for budgeting, I will do 10 or 15 at a time, as I can afford it. I am accepting sponsorships on the site to allow for the purchase of more devices. It may also be possible for me to package device “loads” for indoctrinated “HSP Fellows” to distribute in their own cities, or when they are traveling.

Stay tuned for the next installment, when I discuss some of the findings so far, and what the future may hold for the Honey Stick Project.

When is the last time you actually sat down and read a privacy policy? What about writing one?

In the last week, I have read some (painful), written and updated one (interesting) and started to consider how they drive (or not) actions around how people protect information. I think we need to reconsider our privacy policies…

Sometimes a confluence of events presents themselves to shape thinking in new and important ways:

1. Last week I updated the privacy policy for the Security Salon. In the process, I reviewed a lot of policies, checked out the “privacy policy generators” and tried to craft a policy that was fair, made sense and was technically accurate — as well as captured the essence of my intentions. To be fair, I felt the “generators” were confusing and limiting. In the end, I generated a policy and then modified it by hand. No doubt, it’ll evolve.

2. On Friday, an article on a local company (High Peaks invests $500K in software developer Apprenda) stood out to me for two reasons:

a. This is a Software as a Service (Saas) company. They represent a growing trend that holds some important lessons and opportunities for changing the way people protect information.

b. They are a startup, and they actually have a dedicated security resource onsite as a founder - and his title is “Vice President of Security and Infrastructure.” This suggests security is top of mind.

3. This weekend, it was reported that 13 people were fired and another dozen or so — including doctors! — have been disciplined for access to Britney Spears medical records. Sadly, this activity is not new in the realm of medical records, and the reaction is not surprising.

So I wrote a privacy policy, learned about a company handling information that was founded with security engaged from the beginning and read about the results of people violating the privacy of a medical patient. They all stayed with me — and then last night, I learned why.

Last night, I approved a comment to a post I wrote over two years ago. Normally, this is a sure sign of spam. In this case, it was not spam - and better. It was the catalyst that pulled my thinking together (yes, catalysts rely on other catalysts - now you know).

The comments were focused on the privacy policy of Plaxo. Keep in mind, the post is old and the privacy policy has probably evolved. Stacy Martin has moved on and the new Plaxo Privacy Officer is Redgee Capili. All of that withstanding, here is an excerpt from the recent comment that got me thinking:

…you did NOT say that Plaxo will not read the data of their customers… It would be nice to see a policy shuch [sic] as “Plaxo will not read the data of its customers unless 1) explicit permission is granted from the customer or 2) a law enforcement agency with appropriate juristiction demands to see the data.”

This is a subtle point and an interesting question - if someone provides a service, beyond protecting the information, should they have access to the data they hold? If so, for what purposes? I even question what it means to “read” - machine or human? Is there a difference?

Same time - fascinating post popped up yesterday in the Security Catalyst Community, asking the ‘right’ way to handle ‘discovered’ PII: Handling Discovered PII. Great question!

We face a human problem. We need a new approach. Where to start? When it comes to privacy policies - I think we need to start with some active and transparent conversations about responsibility. What do you think?

The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, how you address “feedback” is crucial to your success. When we learn new concepts and try new ideas, we need constructive feedback to keep motivated and provide guidance. I’ve noticed that many of the security awareness training programs I assess use punitive measures to show users when they do something wrong — things like red tape flags when people violate a clean desk policy.

Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.

Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).

Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.

2. Most users keep a log of their “steps” per day - helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.

3. Most of us are motivated by a challenge - using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!

4. The challenge can be spread to others. Everyone likes healthy competition.

5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.

One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased - but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding - and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement - speaking or training - receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker - you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

I receive all kinds of exciting spam, as do most people. The phishing emails are a dime a dozen… but today was interesting. I received my first Vishing attempt. Even more interesting, it was a Vishing/Phishing hybrid.

What’s Vishing? Wikipedia has a decent definition page - http://en.wikipedia.org/wiki/Vishing

In summary - “Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.”

The phone number in the email below is most likely an Asterisk (http://www.asterisk.org/) system designed to receive phone calls via VOIP. When you call it, a synthesized voice asks for your card number, 4 digit PIN, and expiration date. This is a slick scam, but not that slick - if it was, they would have also asked for the CVV2 code and asked the owner to record their name and address. They also have something to learn about forging email headers. “decuritydepartment.com” isn’t very believable, but I’m sure some poor soul will fall for this scam. They also didn’t do any kind of validation checking on the card. I called the system, and 1111111111111111 worked just fine, though all Bank ID Numbers for issuers of MasterCard all start with numbers in the range of 51-55.

Still - the bad guys are getting better at their craft, and as I mentioned, some poor souls are bound to fall for it.

The scam email follows:

Dear MasterCard customer,

We regret to inform you that we have received numerous fraudulent emails which ask for personal
account information. The emails contained links to fraudulent pages that looked legit.

Please remember that we will never ask for personal account information via email or web pages.

Because of this we are launching a new security system to make MasterCard accounts more secure
and safe. To take advatage of our new consumer Identity Theft Protection Program we had to
deactivate access to your card account.

To activate it please call us immediately at (641) 665-6048

Activation is free of charge and will take place as soon as you finish the activation process.