By Adam Dodge

This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.

That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of - let’s call it crud - crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.

So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.

One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.

However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.

Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.

The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.

So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Joe Coates

Picture this.  You get on the elevator and realize you are alone with the CEO of your organization.  He looks at you and says, “Tell me in 25 words or less what you do and why it is important to this company.”

What would you say?  Do you have an answer prepared?  Does your answer have words like “synergize” or “leverage” or other corporate vision-speak that means next to nothing?

As the current financial credit crisis spreads across the globe, it is imperative to your career that you give serious thought to crafting a Personal Unique Selling Proposition (USP) for your job.

So what’s a USP?  The term was coined by an advertising and marketing heavy weight named Rosser Reeves in his 1961 book Reality In Advertising.  I believe the idea was best described by Dan Kennedy.  He says your USP needs to communicate to your audience why they should choose you over all their other alternatives, including doing nothing.  So from a Personal USP perspective, think about why your organization should choose you, above all other alternatives, to deliver the results you are expected to deliver.

 Probably the most famous USP in recent history is Domino’s classic “Fresh, hot pizza delivered in 30 minutes or less, guaranteed.”  Domino’s chose to focus on their ability to get the pizza to their customers hot and in a half hour or less.  They never claimed the pizza would be any good.   And thanks to that USP, they sold a lot of pizzas that were not very good.  But they were hot, and they came pretty quick, and you didn’t have to go get ‘em. 

Michael Santarcangelo’s USP for his terrific book Into The Breach is his approach to protecting information by educating actual living, breathing, thinking human beings on how to consciously protect information.  So while the market is preaching from the gospel of “Technology Will Save You”, Michael’s approach is to say technology is necessary and useful, but ultimately not enough if the people responsible for protecting information aren’t aware of the potential effects of their actions.

So how can you create a personal USP?    This is a great mind mapping exercise.  Start by plotting out what you are responsible for, and how that impacts the organization you work in.  What organizations do you directly touch.  What financial impact your work has on the organization.  What would happen if your role was eliminated.

Take your time with this.  It is well worth the effort.  So much of the marketing we are exposed to on a minute by minute basis is focused on being cute and clever, not on delivering an impactful statement on what makes the product or service unique.  For inspiration take a good look around at Michael’s   Security Catalyst website and see how his positioning is so different from the rest of the IT security consulting marketplace.  Then, for the rest of the day really ponder the ads, power point presentations (UGH!), radio spots and TV commercials and notice if any of them communicate a unique message about what they are selling.  My guess is you’ll find less than 10% do.  More likely less than 5%.

In closing, remember what Thomas Edison said. Opportunity is missed because it is dressed in overalls and looks like work.  Do the hard work to develop your Personal USP.  Then deliver on it and see the difference it makes in your career.  

If you enjoyed this post, make sure you subscribe to my RSS feed!

I take the stage today to share some insights on “Awareness that Works” - live in Nashville, TN. In the event you were unable to join me in Nashville (or even if you did), we can keep the conversation going tomorrow during the first Catalyst Live! talkcast:

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By David E. Stern, CISSP

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.

If you enjoyed this post, make sure you subscribe to my RSS feed!

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Here are some recent discussions. Got an opinion, jump in!

• Building trust in the Trustmark – would you use it? Trust it?
• CISSP - on it’s way out, or not. Or both?
• Black Hat/DefCon
• Do you use NAC/NAP/TNC?
• SAP Enteprise Portal

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Recent activity includes:

• NAC solution
• Security testing tools
• Sharing With Others

If you enjoyed this post, make sure you subscribe to my RSS feed!

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

Into the Breach is really taking shape - but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN - DO - REVIEW

I first learned about PLAN - DO - REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use - with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

 

 Standard Podcast [13:04m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

by Patrick Romero

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

If you enjoyed this post, make sure you subscribe to my RSS feed!