The Security Catalyst

Information Protection Assessment Toolkit (IPAT)

I promised you a case study that demonstrates how the Information Protection Assessment Toolkit (IPAT) changes the way people protect information. In fact, I’m going to give you two case studies in one.

Harold Townley is a Funeral Director and business owner. He also sits on the board of the Town of Ballston. To prove the power of the IPAT, I ran town employees – including Harold – through the IPAT system earlier this year. The result was better protected information for the town and a new awareness about information protection in Harold’s business.

Like all municipalities, Ballston holds information that should not be in the public domain. While there had not been a security problem to date, with no plan in place to protect this information, it was a possibility. They needed the IPAT program.

In Week One I worked with a team of employees to identify what information was held in the organization, where it was held and how it was managed. The next four steps of IPAT involve processing what is learned, analyzing the results, developing an action plan and finally, generating reports. It was after only the first few steps that change was noticed. Involving all employees in IPAT “created an immediate shift in the mindset of town employees regarding information security” says Harold.

But for Harold, the change was extended further. He discovered that he wasn’t only thinking differently about information protection for the city – but for his business as well. At a meeting of funeral directors he encouraged participants to consider how they handle the personal data of deceased people. He wants his profession to consider carefully what is published in newspapers, how data is kept in the business and how requests for information are handled.

Harold doesn’t know that identity theft has occurred as a result of information provided by funeral homes but it is possible and he doesn’t want to be the source of a problem. “Just because we’ve done things one way in the past doesn’t mean we have to continue doing it that way,” he says. Thanks to IPAT, Harold looks at the information held by his funeral home differently. And the town of Ballston is well on its way to a proactive plan that engages all employees in information protection.

The Basics of IPAT
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It involves a set-up session, a toolkit and four coaching sessions. It can be scaled for large and small organizations, involves all employees and is the first step in protecting your organization from a breach.

Contact me (securitycatalyst@gmail.com) to learn more about our Special June Offer for the Information Protection Assessment Toolkit (IPAT).

If you enjoyed this post, make sure you subscribe to my RSS feed!

Greetings from Ocean City, MD! We came down here this weekend to spend our Easter Weekend with some friends. Having an RV allows us the ability to travel as a family for work and for pleasure. Now that we’re back on the road, I remember why I love these trips so much (even when I am working): I welcome the opportunity to stop the world for a bit, get outside, relax and unwind with my family.

As I look back on the last few months, I am excited about the ground we have covered and the opportunities that come before us. Thank you for your continued support. As we prepare to take some next steps as a group, I wanted to share with you some plans – both to get your feedback and to ask for your help.

April is proving to be an interesting month: several of the efforts I (and some colleagues) have been working on for the last year are “ready.” In addition to launching some new offerings and solutions, we’re taking the family on an RV adventure in April/May and gearing up for a “Security Revival Tour” in 2007, followed by a “Campaign Across America to Protect Information” for 2008.

I’ll share more details about the tour(s) and such in the coming weeks. I could use your help in selecting cities, helping to spread the word and maybe even guiding some logistics. In return, those that help will discounted or free training, coaching and the opportunity to spend some time together.

I need some help - Short Term
In two weeks, we are leaving Albany, NY and heading to: Nashville, Atlanta, Key West and Baltimore. We are currently planning the following schedule:

•    Nashville (arrive Monday, April 23, leave Wednesday April 25 or Thursday April 26)
•    Atlanta (arrive Thursday April 26, Talladega April 27 – 29, back to ATL 4/30 – 5/2)
•    Key West (5/3 or maybe 5/4 to 5/8 or maybe 5/9)
•    Baltimore (5/10 – 5/18)

Atlanta is hopefully going to see the launch of the SEN/Salon and some evening gatherings. I have a long stretch in Baltimore and could really use some help connecting and reconnecting with the various groups I have worked with there.

In each city, we’d like to offer the following programs:
1.    Are you Making a Living, or a Life? (morning) combined with Career Compass Coaching (afternoon)
2.    Speaking About Security (public, private or semi-private)

Where feasible, I’m happy to offer some professional keynotes to the organizations that are in a position to support my efforts (or otherwise are good groups and would help you or make a difference).

SCC members can take 10% off or select a BONUS coaching session. In addition, registered participants in each location are eligible to win:
-    coaching session (value: $250)
-    presentation makeover (value: $500)

If you can help, please drop me a note and I’ll send you more information on the different programs, etc. We are working to finalize our marketing plan this week, and then spending Q2 working to get all of our marketing and branding in place. We’re all close!!

Thank you for your help and continued support.

Programs
Speaking About Security
Are You Making a Living, or a Life?
Career Compass Coaching

Available Keynotes
Transform Your Awareness Program
Setting Your Career Compass
Into the Breach
Speaking About Security
Do More with Less and Have Less Stress!

If you enjoyed this post, make sure you subscribe to my RSS feed!

You are invited to learn how to reduce the effectiveness of attacks and sleep better at night by using a non-administrative user account. In this brief podcast, we explain:
-    why you should be using a non-administrative user account
-    how to determine which type of account you are currently using
-    how to create normal user accounts
-    how to change to a regular user account

Thanks to a dedicated team of professionals, this podcast has been made better. If you see them on the street, give them a big hug. They worked hard (and continue to) to improve our efforts to make a difference:

• Gary Morgan, CISSP
• Alvin Liau, CISSP
• George Viconovic, MCIW/D
• James Costello, Security + SME
• John Biasi
• Peter Clark, CISSP

If you have not yet joined the conversation in the Security Catalyst Community, please do so now: http://community.securitycatalyst.com/forums/index.php

The specific link for this discussion is here: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
(note: joining the community costs nothing – except your active participation!; we enforce a naming standard of using your full name. It helps us keep the supportive environment positive. We look forward to sharing ideas and learning with you.)

Links and Information Mentioned During the Program

Least Privilege

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Source: Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege

Determine the current status of a user account

Two basic options in windows XP
Windows XP: Option 1
• Start -> Run -> CMD (bring up a command prompt)
• type ipconfig /renew (this will be in the show notes)
• Limited Users will be given an error that access is denied.  Administrators will be allowed to renew their IP address.

Windows XP: Option 2
• Start –> Control Panel
• Launch the User Accounts application

If you are  a Limited User you will be presented with the option to Change your picture or to click on Mail or User Accounts.  • You are limited to changing your own password
• changing your picture
• or to set up your account to use a .NET Passport.

If you are an Administrator you will be given the option to Change an account, create a new account or change the way users log on or off.

For more ways, join the discussion in the catalyst community forums: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html

Mac OSX
• System Preferences –> Accounts
• Right under the name it tells you the kind of account they have

Create a non-admin account

Mac OSX
• System Preferences –> Accounts
• Check that the lock is unlocked; if not, click it and enter your password
• click on the + sign
• Enter in the information, including a password
• DO NOT check (make sure you leave blank) the box for ‘Allow user to administer this computer’

Windows, pre-vista
• Start -> control panel
• Select ‘User Accounts’
• Select ‘Create a new account’
• Type in the name of the new user account
• Select the ‘Next >’ button
• Select the ‘Limited’ radio button
• select the ‘Create Account’ button

you’re not done! Time to select a good password
(We will go into details on good passwords in the future)
• You will be presented with a ‘User Accounts’ screen, with a ‘Pick a task’ option.  Select ‘Change an account’ option
• Select the account you just created
• On the next screen ‘What do you want to change about Child 1’s account?’ select ‘Create a password’
• Then enter a strong password, in the first two boxes, enter a password hint in the Third box.  Then press the ‘Create Password’ button’

Support the efforts of The Traveling Catalyst!
RV Tour (our pre-tour warmup for the Security Revival Tour)

• Nashville (April 24 – 25)
• Atlanta (April 26 – May 3 or 4)
• Key West (May 3 or 4 until May • Baltimore/Washington/Northern Virginia (May 10 – May 18)

We’re working now to set up some public sessions of
• Are You Making a Living or a Life?
• Career Compass Coaching
• Speaking About Security

We’re also interested in offering some public keynotes in each of the areas to support the efforts of security professionals. Send me an email if you’re interested (securitycatalyst@gmail.com)

We are in the process of selecting cities for our ”security revival tour” for the second half of 2007. If you would like us to bring our training to your city, send me an email: securitycatalyst@gmail.com

Thanks for listening - now go make your user account changes and be safe out there!

 

 Family Security Series #2 [24:13m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

As we set out on this survey about messaging solutions, we had a hunch that spam was again surfacing as an issue. A lot of the vendors have been discussing the increase in spam. Apparently, we see it, too. So far, 84% of respondents have noticed an increase in the volume of spam or an increase in the complexity of filtering spam over the last six months. As a result, 63% are planning on or considering upgrading their messaging solutions.

This sort of information will be shared back with our community in an effort to help provide some support to the decisions we need to make. If you haven’t yet, please take five minutes and take the survey based on your experiences. We hope to wrap it up this week and provide some insights through the forums and community.

Take the Survey Now (click here)

If you enjoyed this post, make sure you subscribe to my RSS feed!

It is important that the Catayst Community be a comfortable and supportive environment that allows everyone an opportunity to ask questions, answer questions and have their voice added to the conversation. I was delighted yesterday when a member of our community approached me to tell me that it is working! He was able to get some guidance he needed and formed some new relationships with some people that are now helping to mentor and guide him.

My friends, welcome to the Security Catalyst Community - a place to grow and make relationships that will improve your career! I believe that by using our full names in the forum, we have been ablel to develop a virtual resource that meets the needs many of us have felt in the offline world. The best part is that we have only just begun on many levels.

March saw a real explosion in terms of members and activity. The quality of posting, content and discussion is amazing and will absolutely contribute to your improvement. Like everything else in life, the more you put in, the more you get out. Here are some hot and interesting topics that you can contribute to today!

Web App Security resources

Hard disk Encryption

Presentation Ideas - At Risk Teenagers

Certification Advice

Accreditation scheme for penetration testing companies launched in UK

Advantages/Disadvantages of working for a SMB or a Large Organization

My certifications, my choice!

Spinning up a Security Consult Business

IT & Security Magazines (and other paper publications)

What software is the world missing?

Where can I find GOOD statistics?

Fun/different awareness activities
Don’t see something here that is important to you? Come join the community and start a new topic. The entire community looks forward to learning from you and sharing in your passions.

PS: The forums are expanding again in the coming days. Look for an announcement shortly!

If you enjoyed this post, make sure you subscribe to my RSS feed!

I have an exciting opportunity for you and your team or organization.

I need to be in Phoenix, AZ for a wedding on March 31 and realized this is a great opportunity to do more work in the valley and meet more people. I am offering some fantastic incentives on my most popular keynotes and experiences. You could treat your team to a Spring Renewal with Are You Making a Living, Or a Life. This experience or key notes discusses how a positive vision can help them be more effective at work, reduce stress, and improve the quality of their time at home. Or take advantage of our new experience Speaking About Security. This experience will help your group improve their communication skills and increase your success.

Here a listing of the experiences and keynotes with incentives:
Experiences
- Speaking About Security
- Are You Making a Living, Or a Life?
- “Catalyst Session” - experience working with Michael in a way that infuses energy, passion and vision into your current efforts

Keynotes
- Transform Your Awareness Program
- Speaking About Security
- Are You Making a Living, or a Life?
- Into the Breach

Interested? Send me an email: securitycatalyst@gmail.com and we’ll arrange a time to speak. I need to lock in my tickets soon - so this is a first come, first to reap the rewards opportunity. I look forward to the chance to work with you.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Those of you located in Phoenix - we’re gathering at the Tilted Kilt, Tempe. 7pm. See you there.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Like many of you, I have been a member of ISSA, HTCIA and plenty of other organizations. As I have developed my career, I have found value in working with other professionals, and continue to find places to network, etc.

Of course, this is why a number of us came together to form the catalyst community

Anyway - I allowed my HTCIA membership to lapse. While I admire the group and their goals, when I moved to Albany, I was immediately disconnected, and as a result, didn’t want to keep spending the money for no return in value. I truly wish more organizations would start to understand that “meeting” does not mean everything has to happen in person. Many organizations would benefit either creating an online community - or at this point, getting engaged and helping to grow the catalyst community.

So this evening, I got this email message:

Dear HTCIA Member,

Our records indicate that your 2007 dues have not been paid. If payment is not received prior to April 15, 2007, you will be required to re-apply as a new member in HTCIA. Renewals can be done via our website at htcia.org, or you may fax your credit card information or mail payment to the International Office address below. After this date, 2007 dues renewals will not be accepted.

Thank you for your cooperation in this matter and for your continued support of HTCIA.

Sincerely,

So why did I bother to post this?

Perfect opportunity here was missed to demonstrate to me the value of renewing - instead, HTCIA decided to take a tactic of telling me that by not sending in dues, I would be forced to reapply. Personally, I would have asked why I didn’t pay the 2006 dues… and then remind me of some of the benefits and offered a telephone number to discuss what was going on, etc.

I read this message and instantly thought, “screw it.” I doubt that’s the reaction they wanted. But making me feel like an inconvenience to your organization doesn’t encourage me to want to stay. I still like and support the HTCIA - so this message isn’t about bashing them or suggesting that people not join. I think this is a great group and if you have a local chapter, you _should_ join. Yet this approach struck me as “the normal way of doing business” - and upset me. This message was focused on the HTCIA and not focused on me as a member - which is odd, since they are asking for money.

Is this how you treat your users? Are they inconveniences to you? Do you take the time to communicate in a way that meets their needs and demonstrates benefits to them (in their terms)?

Don’t make this mistake with your communications and opportunities to make a difference.

If you enjoyed this post, make sure you subscribe to my RSS feed!

I should probably call this “what you need to know about OpenID” - along with some security. Dan York, Martin McKeay and I have re-invigorated the Security Round Table. Dan York led our February effort by doing some simply AMAZING research into OpenID - and really allowed us to explore and understand it better.

For the complete show notes - check out http://www.securityroundtable.com/?p=17  In case I wasn’t clear - if you have any interest in understanding OpenID - you will need to go see what has to be the most impressive collection of links I have seen yet. Dan York is amazing.

Our goal is to come together once a month to discuss and debate important topics in the practice of information security. Please consider subscribing to the SRT feed here: http://www.securityroundtable.com/?feed=rss2 or in Apple’s Itunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477

If you feel like discussing OpenID (or looking to find some positive and passionate security professionals), come discuss this in the Security Catalyst Community: http://community.securitycatalyst.com/forums/index.php

Here is the OpenID thread: http://community.securitycatalyst.com/forums/index.php/topic,46.0.html

 

 SRT - February 2007 - OpenID: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

I really enjoyed the thrust of Vote Positively With Your Pocketbook, over at Emergent Chaos.

Basically, he builds on the notion of the power of a “consumer” revolt. Then he argues that the answers aren’t boycotts, but taking your spending power somewhere else. His argument, which I whole-heartedly agree with, is that if you don’t like the RIAA, then don’t boycott CDs for a weekend, but shift to online music or something else. The point is subtle, but important - if you don’t take an action that has an adverse economic impact, your message or dissatisfaction will not likely be heard. If you keep spending your hard earned money at the place you are unhappy with - can you really be that unhappy?

Don’t get lost in the semantics on this one. I think the solution to the breaches we keep reading about is the same. We seem to be up in arms over the spate of breaches at TJX…. then we immediately wonder why nothing was done and if they get a pass on this one.

Well, i have more to say, but I think the punchline is the consumers have to vote. DSW breaches, they continue. Choicepoint breaches, they continue. TJX breaches, they continue. Why? Do consumers actually care?

See, I think that the “scale” of the problem is so large that we, as consumers, don’t know what to do. The average consumer doesn’t have the “time in seat” or experience to consider the implications. They know what they read. They feel outraged and helpless. Or they are apathetic, because “what else can they do?” So unless we guide them to proper action, nothing will change.

I was watching a local business show yesterday (which in Albany, NY, is truly something to experience). Anyway, they have a group called the GenNeXt council (and I catch hell for Security 2.0??). So they have two people on at the end of the program opining how great the local economy is (it isn’t) and how wonderful for our generation (again, I don’t see it) - then they issue this warning “It will go away if you don’t get involved. So… get involved!” I almost threw something at the TV. And you have to understand, I’m not like that.

But to tell me to “get involved” and not give me options, so me how or otherwise guide me? How absurd. Now, with me, I’m the sort that doesn’t really want to be guided. Hey, if I was, would I be a ‘catalyst’ — probably not. But give me something… and I can choose to follow, adapt or do something else.

How many times have you plain said “give me feedback” - to get nothing. But if you hand someone a page - they rip it to shreds with ideas? We are all easier to react to an idea, to a concept, to _something_ in front of us.

Well, it’s no different when it comes to discussing security and the actions we want people to take. As I write my book, “Into The Breach: Why Corporations Fail to Protect Sensitive Information - and What Can Be Done About It” — I am working to explain an approach that any business can use to reduce their risk of breach. At the same time, I am working to develop a toolkit for consumers; they need some guidance on HOW to take ACTION when their information has been breached.

If we don’t hold people accountable and demonstrate our disappointment in a way they understand (hit them economically) - then change is less likely. But just *telling* people to boycott or to change won’t work. Afterall, if people want cheap clothes, TJX is still a good option, right? We don’t change behaviors with words. We have to explain processes and lead the way.

If you enjoyed this post, make sure you subscribe to my RSS feed!