Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Your personal computing devices perform almost all of the functions of a laptop computer. Smart phones, iPads, Kindles, and other devices are notoriously easy to lose, and store gigabytes of files, passwords, credit card numbers, social security numbers, digital photos, address books, and email attachments. Because of the wealth of personal information on a cell phone, most people would rather lose their wallets, and nearly all respondents to a 2009 survey said they would be “devastated” if they lost their phone.

Upgrading your phone can be as risky as losing it. Some people donate their old phones to charity or sell them on Ebay, and experts warn that personal information on the phone could easily be mined and re-sold. Periodically search your cell phone for personal information, and make sure that you digitally shred the entire contents of your mobile device before you get rid of it.

Do not put your faith in what statistics say until you have carefully considered what they do not say.  ~William W. Watt

Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.

Well, they aren’t. Except, of course, they are.

When I wrote Into the Breach, I realized early in the process that “breach” (no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.

The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

If people aren’t the problem, what is?

When introducing the concept of the human paradox in the book, I suggested we face a people problem. Upon further research and considerations, I would write that section differently: we face a human paradox where people are not the problem.

Consider this: “people have been unintentionally and systematically disconnected”

This raises the question, “who disconnected people from the consequences of their actions?”

Short answer: we did. But it wasn’t intentional.

I liken the current experience described by practitioners as  “security pain” to what new parents learn as “short term gain, long term pain” – or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.

The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.

When users rightly questioned changes, the path of “short term gain” was to suggest they wouldn’t understand and take the decision – and resulting consequences – out of their hands.

But it’s okay.

It’s part of human nature.

This means that instead of blaming “users” generically for not knowing and not being good enough, we should first look in the mirror. We played a role in making the situation we lament.

So we recognize it and move on.

The question is what comes next. And that’s where I have focused my passion, blended with my experience and skill as a human ecologist, in security and in the tradecraft of effective communication.

The Path Forward

The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.

So – tell them the consequences and we’re all set, right?

Well, it’s not that easy.

We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

We need more deliberate dialogue: conversation with a purpose that “meets people where they are” and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

We have a lot of work to do. I’m here to contribute and lead the change we need.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

• Learn how to establish appropriate and measurable criteria upon which to make better decisions
• Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
• Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

As we continue to discuss the Basic Truths of Incident Response Leadership, we’ve briefly gone over the three Basic Truths as well as done a deeper analysis of  “Succeeding By Planning to Fail”. This brings us to:

Basic Truth #2: Have A Workable Plan, or Else

As an Incident Response Leader, one of the most valuable parts of your role is to create, test, exercise, and (when called upon) execute Incident Response Plans (IRPs).  IRPs run the gamut from a Post-It note on the wall listing contact phone numbers, to plans that take up several 3-ring binders on a shelf somewhere.  Plans can be long or short, detailed or vague, paper or electronic, automated or manual…you get the picture.  What makes a good plan different from a not-so-good plan can be summed up in a few ways.

First, can you execute the plan using only the resources that you legitimately would have access to during the incident?  We’ve all seen plans that call for using network analyzers that aren’t accessible to the organization or that call for numbers of personnel that just don’t exist.  You may have written plans that assume that the responding team has skills and experience that your current team just doesn’t have (I have).  The key is to map out the current skills and capabilities of your team and employ them as best you can to meet the anticipated incident.

As you identify resources available to you, it pays to be creative.  Can other teams identify folks who could temporarily be available during an incident (think of it as an in-house “volunteer fire department”)?  Do you have relationships with designated outside incident response consultants? Do you have relationships with local, state, or federal law enforcement?  In today’s business environment, Incident Response Leaders need to be creative in identifying resources that can assist during a response cycle.

Second, you have to test the plan.  This sounds so intuitive, but many plans never get past the written-down stage before they are needed in an incident, because no leader stepped in to ensure that the plan would work as designed.  One of the most effective testing plans for an IRP is also the least expensive – the simple “Talk Through”, where all of the designated players sit at a conference table (pizza is optional, but highly recommended) and talk through the plan, noting any foreseen problems or issues.  The team needs to be encouraged to not only point out potential problems, but brainstorm solutions they can implement as-is since (as we talked about in Basic Truth #1) you can only plan on the resources you have, not the resources you want to have.

Plan testing needs to be redone each and every time the plan is modified, or at some regular interval (at least annually).  Testing can be announced or (my personal favorite) unannounced.  The time spent testing can help the Incident Response Leader assess not only the plan, but the team assigned to execute it.  The feedback loop should encompass applications, hardware, processes and procedures, as well as people.  Everything is fair game.

Lastly, you need to continually exercise your plan.  This, while not as intuitive as testing, is something that many organizations fail to do, claiming “it’s too hard” or “it’s too disruptive” or “it’s already been tested, why should I do an exercise?”  Having performed incident response on plans that have been exercised and plans that have not, I can tell you with complete assurance that plans that have been exercised are executed more smoothly, with fewer problems and a better resolution.

Exercises can range from a talk-through (similar to testing but without the constant feedback loop) to a full-on exercise using live equipment.  Talk-through exercises can help in quickly familiarizing a team with a new (or newly updated) plan.  Talk-through work will also quickly point out assumptions that, while seemingly accurate in testing, don’t fit the way the incident response team works.  All other things being equal, I believe that talk-through exercises offer the highest return for time spent in any aspect of prepping for a incident.

Full-on exercises, as powerful and complete as they are, can be very hard to accomplish.  Most organizations cannot fully replicate their production systems (even using virtual machines).  These exercises, when they can be done at all, are usually done in development or test environments and generate most of their value by allowing teams to actually assess and interpret adversary actions and data.  These exercises are an Incident Response Leader’s best chance to simulate the stress and activity of a real incident.

Taking all of this into account, it’s clear that the Incident Response Leader must be able to create, test, and exercise an IRP to be able to effectively respond during the inevitable incident.  By creating plans designed around available resources, qualifying the plans with testing, and regularly exercising the plan, you can ensure that you and your organization will be ready when the inevitable incident occurs.

But it’s not over yet. Once you’ve gotten this far you still have one vital task to accomplish.  We’ll cover that in the last article on the Basic Truths of Incident Response Leadership.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Michael Starks

Bloggers and writers often lament the challenge of finding new material. When we do write about a topic, it is often a second-hand story, perhaps commenting on the big news of the day. This month is different, thanks to Gexa Energy, an electricity provider based in Houston, Texas.

Last month, my wife received a letter from Gexa Energy informing her that a data breach may have involved her non-public personal information. I guess they weren’t entirely sure. The letter describes how their monitoring systems alerted them to the intrusion on April 30, 2008, the date of the incident. The breach was contained and there is no evidence of any improper use of her information (had her information ever actually been involved). They even caught the person responsible and are prosecuting them, Gexa says.

Did you notice the timeframe between the discovery of the breach and the notification? I didn’t, until I read about it again in a news story. Almost a year passed before they let anyone know. But don’t worry, law enforcement told them not to tell anyone.

The letter went on to list the types of information that might have been accessed, which included the usual suspects: drivers license number, social security number, date of birth and so on. The next underlined sentence emphasized that no credit card numbers or bank account numbers were compromised.

Gexa was even helpful enough to point my wife to some sources for credit monitoring and reports, although these are already free resources. Finally, they created the ironically titled http://www.gexaenergy.com/dataprotection site to help everyone feel better about the whole thing. The letter closed with the usual statement of how they take things real serious-like and how they deeply regret her concern. No one signed the letter.

How a company responds after a breach is a strong indicator of their commitment to protecting your information. In this case, Gexa failed miserably. They:

1. Failed to accept personal responsibility for the breach by not having an executive sign the letter.
2. Failed to conclusively state what information had been accessed, and when.
3. Made no offer to pay for personal credit monitoring.
4. Used emphasis in the letter to minimize their culpability and responsibility.
5. Made the inexcusable and legally questionable decision to wait almost a full year before notifying affected people of the breach.

Breaches happen. In today’s world, that’s a fact. With this breach, Gexa’s response only serves to remind us that honesty is the best policy. Passing the buck and failing to take personal responsibility will only alienate customers who might otherwise have been willing to forgive you.

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.

Why do companies keep losing our personal information? That, of course, is the billion dollar question. Theories abound, and while we all theorize about the causes, data is still being compromised at an alarming rate.

Allow me to add to the theorizing, fully aware that this is going to sound a bit unconventional. What follows is not so much a concrete theory and solution, but an offering for creative thought. Here’s my take on one of the main reasons breaches happen, followed by a crazy idea about what we can do about it.

Breaches happen because companies are only looking out for number one.

Sorry, you’re not number one. They are.  You are but a meaningless number in a pool of data. They have no attachment to you as an individual and only view your risk as a function of their own. If your risk doesn’t factor into their own, it is casually disregarded. In the event of a breach of your personal information, they will act in their own self-interest. They are unlikely to compensate you for your time, stress, loss of work or anything else directly related to that breach. You get the short end of the stick.

That’s the bad news.  The good news is that it doesn’t have to be this way.  We can change things.

Payment is Past Due: The Action Plan

When our personal risk becomes a real economic factor in the risk of someone holding our information, the balance of the scales will have tipped. Since it is unlikely that companies will find incentives to factor in personal risk, they need to be persuaded through personal privacy and data security legislation.

It might work something like this.  From the multitude of breach statistics collected, we develop a profile of the harm done to a typical person after a breach of a certain type. One would expect, for example, that a lost social security number be more personally harmful than a lost credit card number. That breach profile is then used to assign relative security requirements to companies that wish to deal with that aspect of your data self. The more personal, static and valuable the information, the more stringent the requirement.

To validate that the data is sufficiently protected, the company will be required to undergo independent penetration tests. Audits, while sometimes helpful, are insufficient in that they primarily measure compliance and not the ability to withstand attack. We need to know how safe the data really is.

Here’s where the rubber meets the road. For every failed test, the company will be required to pay premiums to those whose information they are not adequately protecting, proportionate to the amount of risk the test reveals. In traditional insurance models, the insurance company holds risk. You pay them to assume that risk. With this model, the company is putting you in a similar position of risk. Doesn’t it follow that you should be similarly compensated?

In this paradigm, the company doesn’t get to wait until the information is actually breached. They lose the ability to roll the dice, and hope everything is going to be OK, while you remain at risk They face actual consequences, not just for breaches, but for creating circumstances predisposed to a breach. And with ongoing consequences for doing a poor job of protecting information, it then becomes in their best economic interest to get and remain secure.

By now you are undoubtedly thinking thoughts such as, “this won’t work because..” or “but what about.” Good. The idea wasn’t so much to offer a single solution to a complex problem; rather, it was to spark realization that we can change the rules of the game. No longer do we have to be victims. What are the problems with my proposal? How can it be re-worked? What ideas do you have to win back your identity? Throw me a comment or let’s chat in the forums.

]]> http://www.securitycatalyst.com/2009/02/it%e2%80%99s-time-to-pay-the-piper/feed/ 7 http://www.securitycatalyst.com/2009/01/the-top-5-reasons-you-wont-hear-about-a-breach/ http://www.securitycatalyst.com/2009/01/the-top-5-reasons-you-wont-hear-about-a-breach/#comments Thu, 22 Jan 2009 11:46:08 +0000 Guest Blogger http://www.securitycatalyst.com/blog/?p=629 By Aaron Titus

I have personally discovered more than a hundred data breaches by schools, companies, doctors’ offices, tax professionals, government agencies, and individuals over the past several years. Unfortunately, very few of the breaching entities proactively announce an average breach, regardless of the law. Here are the most common reasons:

1. Failure to Detect
2. Market Devaluation of Privacy
3. Poor Communication
4. Ignorance of Law
5. Notification Difficulty

Failure to Detect

Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not keep proper logs. Thus, when a press releases reads, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”

Market Devaluation of Privacy

The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no hard proof of access exists) far outweigh any benefits.

In addition, most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your credit. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.” But they have no responsibility to help you recover from financial identity theft, medical identity theft, or criminal identity theft. Merely getting a credit report does not protect against any of these risks.

Poor Communication

A cruel irony of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization with the most incentive to skew the details. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible.

I have read dozens of breach announcements, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information unavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” Keeping a victim in the dark about the details protects only the breaching entity.

Ignorance of Law

Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.

N

For the most part, organizations which choose not to report breaches get away with it. But even under good circumstances, 100% victim notification is impossible. People move, phone numbers change, or addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.

I have suggested solutions to some of these problems here and with the creation of National ID Watch

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch.

Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support.

Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this

What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further.

The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good.

However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey.

Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal.

What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information.

So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources.

How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them.

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.

While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article – FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:

However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.

It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value – and while this was probably a mistake, I would expect a security company to have taken a different attitude.

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation – mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held – a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power – and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard – and they have a lot of memories guiding their actions.

Now, let me be clear – with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information – and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth – reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision – it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” – which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” – as opposed to seeking “balance” – and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information – and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. – Santa 11:19a