It is important to understand personality types and traits when working with and managing other people (check out my article about that here). There are two traits with the strongest influence on personality style. An understanding of these provides advantages for managing and communicating – advantages that are essential for success.

The two types?

You guessed it: extrovert and introvert

While the words introvert and extrovert are used often – and often used to justify behavior – it is useful to take a step back and consider the two types in a different light.

The extrovert
Extroverts are known for their assertive and outgoing nature. But extroverts aren’t assertive just because they like telling people what to do; they actually thrive on external sources of energy.

They seek out human interaction and lean toward the gregarious. They enjoy activities that give them the opportunity to interact with larger groups, both business and social, such as conferences, parties, community activities, public demonstrations, and highly active membership groups – all strong sources of energy they can feed on, amplify and contribute to.

In the workplace, extroverts are less likely to find reward in individual projects. They enjoy work that involves large groups and will engage in activities that introverts might consider risky, such as public speaking and assuming leadership positions. They are often comfortable expressing opinions confidently and vocally. This can give others the impression that extroverts have a greater self-image, which is not always the case.

The introvert
Classically, introverts tend to be more reserved in behavior. But consider this: introverts generate their own energy – and sometimes need to step back in order to do it.

They seek out fewer social interactions; this does not mean they are asocial, but rather that they prefer interacting with smaller groups or individually than with larger groups. They also take more pleasure in solitary activities such as reading and writing than their extroverted counterparts.

At work, introverts enjoy projects that allow them to work on their own or in small groups. They tend to prefer working on one project at a time (or on fewer projects at one time), and will be more likely to observe a situation before jumping right in. They tend to speak only after they can validate what they are about to say. Introverts need time alone to “recharge”; it is essential they be provided with opportunities to do this.

Successfully managing the two personality types
It’s important to leverage extroverts’ innate sociability. Their outgoing nature makes them naturals as salespeople, account managers, or in any other position where they deal with clients, potential clients, and other members of the organization – where they can thrive on available energy.

Take advantage of their leadership tendencies by providing them with opportunities to take the reins on projects.

Extroverts often make very good team members, so don’t feel that it’s necessary to always put them in a leadership position. Often, extroverts in team situations will serve to improve the energy of fellow team members.

Introverts, by contrast, usually prefer to be given projects they can manage individually, or with one or two others. They also tend to be more detail-oriented, and do better with projects that do not require them to perform many tasks simultaneously. Use their high level of focus to the business’s (and their) advantage. Introverts can often be quite taciturn until they produce desired results, so do not assume that lack of communication means they are not concerned with the outcome of the project; quite the opposite. Much of the processing that introverts do is internal, so they sometimes forget to communicate progress on the project to others.

As a team, these two temperaments can balance each other out well, if each can remember that the other has different work styles. Extroverts might find introverts’ natural analytical style to be too confining, and introverts might consider extroverts’ risk-taking to be too reckless. But if each can remember that the other has something to bring to the project, and that “different” can be beneficial, then these kinds of partnerships can be worthwhile – and even educational – for everyone involved.

Have you ever been in a position to manage these two temperaments? How have you used their natural strengths to the project’s advantage? And do you recognize yourself as one or the other – or do you feel you have elements of both extroversion and introversion in your own personality? Share with us in the comments!

If you were asked to throw a few million dollars out the window, would you do it?

If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.

What about companies that, effectively, waste millions of dollars trying to implement identity management?

The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.

If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over:  How do we justify the cost?  Why do so many companies stop at “single sign-on”?  Why do implementations take so long?  Why do implementations get halted mid-effort?  What’s the true benefit of identity management?  What’s the ROI?  You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.

But what does it all mean?

Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?

No, we’re not.

IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:

Identity Management in 13 Easy Steps

Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?

An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.

There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.

Are you ready for this journey?  If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.

For now, here’s the intended schedule:

December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.

January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.

February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.

March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.

April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.

May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).

June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.

July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).

August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.

September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.

October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.

November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.

December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

As we continue to discuss the Basic Truths of Incident Response Leadership, we’ve briefly gone over the three Basic Truths as well as done a deeper analysis of  “Succeeding By Planning to Fail”. This brings us to:

Basic Truth #2: Have A Workable Plan, or Else

As an Incident Response Leader, one of the most valuable parts of your role is to create, test, exercise, and (when called upon) execute Incident Response Plans (IRPs).  IRPs run the gamut from a Post-It note on the wall listing contact phone numbers, to plans that take up several 3-ring binders on a shelf somewhere.  Plans can be long or short, detailed or vague, paper or electronic, automated or manual…you get the picture.  What makes a good plan different from a not-so-good plan can be summed up in a few ways.

First, can you execute the plan using only the resources that you legitimately would have access to during the incident?  We’ve all seen plans that call for using network analyzers that aren’t accessible to the organization or that call for numbers of personnel that just don’t exist.  You may have written plans that assume that the responding team has skills and experience that your current team just doesn’t have (I have).  The key is to map out the current skills and capabilities of your team and employ them as best you can to meet the anticipated incident.

As you identify resources available to you, it pays to be creative.  Can other teams identify folks who could temporarily be available during an incident (think of it as an in-house “volunteer fire department”)?  Do you have relationships with designated outside incident response consultants? Do you have relationships with local, state, or federal law enforcement?  In today’s business environment, Incident Response Leaders need to be creative in identifying resources that can assist during a response cycle.

Second, you have to test the plan.  This sounds so intuitive, but many plans never get past the written-down stage before they are needed in an incident, because no leader stepped in to ensure that the plan would work as designed.  One of the most effective testing plans for an IRP is also the least expensive – the simple “Talk Through”, where all of the designated players sit at a conference table (pizza is optional, but highly recommended) and talk through the plan, noting any foreseen problems or issues.  The team needs to be encouraged to not only point out potential problems, but brainstorm solutions they can implement as-is since (as we talked about in Basic Truth #1) you can only plan on the resources you have, not the resources you want to have.

Plan testing needs to be redone each and every time the plan is modified, or at some regular interval (at least annually).  Testing can be announced or (my personal favorite) unannounced.  The time spent testing can help the Incident Response Leader assess not only the plan, but the team assigned to execute it.  The feedback loop should encompass applications, hardware, processes and procedures, as well as people.  Everything is fair game.

Lastly, you need to continually exercise your plan.  This, while not as intuitive as testing, is something that many organizations fail to do, claiming “it’s too hard” or “it’s too disruptive” or “it’s already been tested, why should I do an exercise?”  Having performed incident response on plans that have been exercised and plans that have not, I can tell you with complete assurance that plans that have been exercised are executed more smoothly, with fewer problems and a better resolution.

Exercises can range from a talk-through (similar to testing but without the constant feedback loop) to a full-on exercise using live equipment.  Talk-through exercises can help in quickly familiarizing a team with a new (or newly updated) plan.  Talk-through work will also quickly point out assumptions that, while seemingly accurate in testing, don’t fit the way the incident response team works.  All other things being equal, I believe that talk-through exercises offer the highest return for time spent in any aspect of prepping for a incident.

Full-on exercises, as powerful and complete as they are, can be very hard to accomplish.  Most organizations cannot fully replicate their production systems (even using virtual machines).  These exercises, when they can be done at all, are usually done in development or test environments and generate most of their value by allowing teams to actually assess and interpret adversary actions and data.  These exercises are an Incident Response Leader’s best chance to simulate the stress and activity of a real incident.

Taking all of this into account, it’s clear that the Incident Response Leader must be able to create, test, and exercise an IRP to be able to effectively respond during the inevitable incident.  By creating plans designed around available resources, qualifying the plans with testing, and regularly exercising the plan, you can ensure that you and your organization will be ready when the inevitable incident occurs.

But it’s not over yet. Once you’ve gotten this far you still have one vital task to accomplish.  We’ll cover that in the last article on the Basic Truths of Incident Response Leadership.

A friend of mine recently had a very Dilbertesque experience at work.  The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling.  Sort of…

Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years.  The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office.  This was reasonable, and most of the staff saw this as a good business move.  Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.

Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date.  The new seating chart was printed, offices were assigned, and additional requests were made.  Here is where we take a turn for the weird:

Treating your people like they are worthless: Elimination of a position announced through the new seating chart.

One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks.  Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”.  Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s  mouths.

Generate a menial or pointless task.

Actually, this one is a little worse than pointless, it is counterproductive.  Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities.  This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1.  The company wanted real data for that entire time.  Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago?  6 days ago?  As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections.  They were told, effectively, not to worry about it and that the data analysis team would take care of it.  To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.”  Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.

So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works?  Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible.  If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say.  Don’t make decisions in a vaccum. If it impacts people, get their input.  Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.

My career has now spanned almost 12 years, and it still amazes me how so many managers and executives consistently make bad decisions and then are surprised by the results.  As the economy has gone bad, you’d think that people would be a little more judicious about how they spend the small budget they have remaining, but that’s turning out not to be the case.  Surprisingly, I think the vehemence with which we’re shooting ourselves in the foot has increased as the budgets have shrunk.  Now that the economy has bottomed out and is (supposedly) on the rebound, is there any chance of changing some of the behaviors before the upswing takes hold?

Let me ask you a different question: If you lived in Chicago and your house needed a new roof, would you just go out and buy the one recommended by your buddy out in San Francisco, because he’s thrilled with his new roof?  Hopefully, the answer to this is no.  You may take a look at it, but I’d hope that you would confirm that the structural integrity is insufficient for the added wind, cold, and snow weight that Chicago roofs experience.  Once selected, would you allow the contractor to cut corners on your roof installation just to make a specific deadline?  Is a permanently leaky roof worth a couple of weeks?

If you wouldn’t blindly purchase something for your own home based solely on the recommendation of a friend, why would you purchase a product for your company based on the recommendation from a vendor, a colleague in another industry, or a conversation on the golf course?  How can you justify the potential risk?  What happens to your reputation when the product in question doesn’t perform as expected?  Where does the budget come from if you end up having to replace the entire thing?

When budgets are tight, there are better things to purchase with what little you have than bullets for your foot, and there are three very simple rules that can keep your munitions purchases at bay:

1. Don’t ‘ decide’ on a due date, calculate it.  Implementations take time and resources.  As much as you might want something in production by the end of the quarter, it might not be possible to do in a reasonable way.  Before committing to a date that’s just not feasible, spend a little time to determine the effort involved and lead-times for any purchases/installations that may need to be made, and to assess the availability of the resources required.  Then calculate a plausible due date based on the reality of the work effort and be sure to document the consequences of cutting corners, should that still be desired.  Sure, there will be instances when time is of the essence, but those are not as frequent as most people think.  When you consider long-term support costs and the massive adjustments that are usually needed to make a quickly installed product work, the calculated ROI is rarely met, and the costs to reputation and morale are higher than many would like to admit.
2. Don’t ‘make up’ budget numbers, calculate them.  We all instinctively have assumptions about how much something should cost.  Some of us are better than others at guesstimating accurately.  Most of us underestimate – significantly!  So before publishing a number that just doesn’t make sense, do the math.  There’s truly nothing to be gained by setting the expectation that the desired work can be done for half the actual cost.  If the true cost is prohibitive, then the negotiations need to start, and the consequences should be documented and accepted for each item cut.  But if you’ve dug yourself a hole before the negotiations have even started, you’re in for a world of hurt.
3. Don’t fit your problems to a pre-determined solution, pick a solution that fits your problem.  No matter how nice the vendor is or how much you value your golf buddy’s opinion, the product they’re pushing may not be the right one for your company.  The only way to know for sure is to gather requirements first, based on the actual needs, desires, and roadblocks currently being faced by your company.  Then you can assess whether the desired product fits the bill.  If it doesn’t, don’t buy it!  If nothing fits the bill, pick the best option, or consider waiting for future developments.  In any case, be sure to document the trade-offs, and get agreement that they’re acceptable.

Simple, right?   But if we were all doing this, I wouldn’t be writing about it.  The problem is that it has become acceptable to ignore the rules, and anyone who doesn’t follow suit is viewed negatively.  The real challenge is for each of us to take the personal responsibility to follow the rules, regardless of our position in the company.  Only then will we change the expectation and make it unacceptable to ignore the rules.

by Jeff Kirsch

If you have been around small children for very long, you will probably hear parents utter the phrase, “Use your words.” This is usually in response to a child having a tantrum or resorting to yelling to get attention. Parents are reminding their children that the way to communicate is through using their words so others know what they want.

Brain “Cache”

My oldest son has enjoyed playing online games since he was about four years old. We have always tried to encourage him to play games that have educational value, but we also allow him to play games just for fun. One Saturday afternoon my son was playing a semi-educational game.  At the end of the game a certificate would print out congratulating him on his success. Before starting the game he was asked to enter his name. He proceeded to play the game and got his certificate. Then he decided to play the game again; the program asked him for his name just like the first time. This is where I got involved. “Daddy,” he called out; I came in the room thinking he had closed the window he was in and needed me to get him back to his game. Turned out he had a different problem.

“Why doesn’t the game remember who I am?” he asked. After getting filled in on what happened, I offhandedly said, “must be poorly handled cookies”.  Like any 5-year old, he asked what cookies where doing in the computer. “These aren’t cookies you eat,” I began, and then explained how websites use small files to keep information about you and your online usage, like your name. This took more than a few minutes to explain, but he finally understood the concept. His next question was, “Why didn’t the website people test this out?”

The most amazing thing about kids isn’t how much information they can take in without being filled up, but their ability to remember what they have learned. The following day my in-laws were over for dinner, and my son was playing some online games again.  My father-in-law walked into the den and I overheard him talking to my son.  When he returned to the kitchen he said, “The only types of cookies I know about are the kind you eat but, your oldest told me there are cookies in the computer.”

Whose Words?

We spend a lot of time learning our specialties, and as part of that comes a whole set of terms and acronyms. It becomes natural to talk in our own language, even when we deal with people not in our specialty. This is where problems begin, especially when we are called on to be part of a larger team that includes such people. A failure to find a common language can result in a project failing to meet deadlines, or worse. In the long run, you may find yourself being shut out of such cross-team projects, which are your best opportunity to show people you really have an expertise.

Language can become a barrier, even when it is not our intent. It can be frustrating to “outsiders” when we speak our own language; it can even sound like we are talking down to them, when that’s not our intent.  Likewise, we may become frustrated when others try to speak our language and fail to understand the nuances of our terms.  There are times when the best way to talk about what you know is in your own terminology. In fact, if we take the time to educate others on those terms, we can even expand our status as an expert. Likewise, if we take the time to learn the terminology of others we gain their respect and make it easier to communicate our ideas.  In the end, that respect and communication are what lead us to provide the best results for our clients and organizations.  We spend our childhood learning to use our words, then our adulthood learning other people’s words.

As recently as five years ago, if you worked for the tech department of most organizations, your job responsibilities were pretty clear-cut.  You were expected to fix the hardware when it broke, “fix” the software when someone crashed a program, and install updates and software as necessary. The skills required were cut-and-dry, and the surprises were pretty minimal. As far as information security was concerned, it was usually enough to simply hand down security measures and escape back to the sanctity of the IT “cave”.

We’ve come a long way, baby.

In the past few years, everything about the field has changed. Not only do job descriptions look drastically different, but the environment in which those jobs are taking place has changed. Budgets are smaller, the threats to organizations are greater, and the skills that are required have broadened. People in general are also more tech-savvy, which makes the job both more and less difficult. On one hand, IT is dealing less and less with people who are completely unfamiliar with computers and the internet; on the other, a little bit of knowledge can be a dangerous thing. People sometimes know just enough to create problems, and not enough to be able to fix them on their own.

In addition, we’ve come to the realization that it’s no longer enough to simply possess technical skills; IT workers now need to work with the rest of the organization to make security measures more successful. As I’ll discuss further below, success is much more likely when members of the organization are included in the process, rather than simply having security measures foisted upon them.

However, what this means for infosec employees is that they need a whole new set of skills, including the ability to communicate the value of what they do to fellow employees and to management. Job security is far from guaranteed for any member of the organization. Involving the rest of the organization in the development of security measures ensures buy-in from the organization for the measures and makes the success of these measures far more likely (and by extension, of the IT department as well).

How does involving those being affected by security measures in the process, make those measures more likely to meet with success? First, simply by going to the employees themselves to get information about they do their jobs, security measures become more specific to the people they’re actually supposed to help. A system that is designed around the people who are going to be using it is far more likely to be effective than one that isn’t.

Second, as people become more involved in the experience of creating these security processes, their fear of the measures that are introduced is diminished, making them more likely to comply and to be successful with such measures. They become partners in the security effort, and invested in its success.

True, change can be scary. But the opportunities inherent in such change make this an exciting time for the field. It’s not so bad out here after all.

Clear, concise, well-written e-mails can be the key to getting what you want, but have you ever considered that they can also save you time, headaches, and even keep you out of hot water?

During the incident handling process, we all know that communication is key. Everyone on the incident handling team must know what the expectations are for their behavior. What is needed of them and when? What should they do? What should they not do? This is especially important if you have technical support staff members who are not full-time IT security staff assisting with incidents. Clear, concise messages that set expectations in black and white can be the one thing that stands between much-needed evidence and spoliation brought on by a network admin who thought he or she was doing the right thing.

Are you re-inventing the wheel every time you handle an incident? You may know the process backwards and forwards in your own head, but what if you have to pass the incident off to another staff member or bring in someone from outside the security office for help? Do you have faith in your own ability to explain all the ins and outs of handling an incident to someone who rarely (or never) gets involved? Having to document all the do’s and don’ts of incident handling during the incident could lead to very costly mistakes. Clear, consistent communications are key to getting your point across as well as documenting what has been done and what needs to be done.

Well-designed message templates can save precious time and mistakes when an incident has occurred. These messages should be formatted to be easy to read, concise, and written to suit the technical acumen of their potential audience. They should say what is okay to do to the system in question as well as which actions should absolutely not be performed. If a message regarding notification of a compromise is to be sent to an IT staff member outside the security office, you may wish to give them a list of actions to perform (assess the physical state of the system, fill out an initial survey with the user of what data is present, etc) and remind them not to attempt to clean an infection on a compromised system.

Depending on the structure of IT in your organization, they may also need to lay out consequences for lack of compliance with the instructions in the message. These could be technological (loss of network access) or administrative (report to HR) in nature.

Consistent communication isn’t just for incident handling, however! Use it to your advantage when dealing with customers and clients as well. Find efficiencies in the way you communicate with outsiders that set clear expectations on what you can do for them or share with them. You can also use this as a way to gauge the efficiency of other services. If you find that you are repeating the same set of instructions to your users over and over and over again, perhaps it is a sign that your service is making its users work for it instead of the other way ‘round.

Finally, make sure any message templates you choose to use are vetted. (For the sake of professionalism, you should also have them proofread!) Incident response templates should likely be vetted by management and counsel. Customer communication message templates should be vetted by representatives of your user community and not just by “the guys around the office.”

 ”It’s not communication unless the message sent is the message received.”

Wise words from my father. The quote may have originated elsewhere, but the words ring true. Too often, we fall into a trap where once we have “sent” the message, we expect that it was “received”. How do we know? Do we really *want* to know?

 Let me demonstrate:

Recently, my team was charged with placing a way to securely send emails to customers, clients, and partners. Additionally, the solution would need to scan the content and attachments for information the organization wanted to leave only in a secure fashion.

Once implementation was completed, marketing announced the arrival of the tool and how it could impact workflow, taking extra steps to give it a positive spin. To help reduce false positives, we passively monitored and modified settings as needed, then after a few months the system was activated and blocking began. We knew no system was perfect and occasionally communications are prevented that shouldn’t be, so we gave a method to bypass the secure mechanism. The message flow looked something like this:

1. Secure device receives email and encrypts if requested
2. If not requested, scans email and attachments for sensitive data
3. If sensitive data found, blocks email from being sent and provides example to user showing how to send securely or bypass the mechanism if appropriate

Almost immediately, my team received responses from individuals with blocked messages calling the service “stupid”, “idiotic”, or “a waste of time”. Comments were sometimes followed by personal insults as well, even though they were sent to a distribution list with no specific personnel attached.

As I’d only recently joined the organization, I had an extremely difficult time not taking the responses personally despite the fact I had nothing to do with the secure messaging implementation. While I suspect the perceived disassociation of sending to a distribution list instead of more personal contact encouraged the comments we were receiving, it didn’t make them any easier to read.

However, after putting my feelings aside, I started analyzing what the users were trying to communicate and quickly discovered a common theme:

Despite being given an example in the blocked notification, users were frustrated because didn’t know how to use the bypass.

I began digging deeper, trying to figure out *why* the example, and hence the communication, was not effective. It turns out the automated response was extremely wordy, difficult to understand, and very passive-aggressive in regards to auditing and consequences. No wonder we received such heated replies!

I’m in the process of revising the automated response. In addition to making the information more concise, we’ll also being redirecting users to the Help Desk if they need immediate assistance. Once the Help Desk staff is trained on how to respond to their customer’s issues, I hope satisfaction with the secure messaging tool will increase greatly. If it doesn’t, I’ll wash, rinse, and repeat the analysis cycle again to find where the new shortcomings are. Because really, it’s not communication unless the message sent is the message received.

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

One of the principle missions of the Federal Trade Commission is to protect American consumers against activities such as false advertising and unfair business practices. Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth.

The FTC held a two-day forum earlier this month regarding online advertising and privacy. The meeting concerned the tactics of behavioral targeting, which is used by online publishers and advertisers to deliver ads based on user’s web-browsing behavior. Advertisers believe that this information helps them deliver better information to consumers and increases the effectiveness of their campaigns. Opponents and civil liberty advocates warn against the erosion of privacy and lack of consent by consumers. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination.

Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick. While Google collects the history of its users through its search engine, DoubleClick tracks what websites people visit. In order to do this, DoubleClick creates profiles for users based on their IP address, domain, browser, local time and date, operating system, and page viewed. The ability for one company with the power to collect data on millions of individuals without any government oversight is disconcerting, to say the least.

The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them. There has even been recent controversy as to whether this type of targeted advertising is even legal or not.

Past attempts to stop behavioral targeting have been unsuccessful. In 2001, a class action lawsuit was brought against DoubleClick for keeping cookies stored on internet user’s computers without their consent. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site. The court held that since the user consents to Double Click’s access by visiting the website affiliated with the advertisement, there was no law being violated.

As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting. Privacy organizations are calling on the FTC to establish, among other things, an opt-out policy similar to the one applied to telemarketers. They would like to see fines for non-compliance and disclosure of all data-collection practices clearly visible on websites that engage in behavioral targeting.

Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon. The most successful internet companies rely heavily on advertising dollars to sustain their growth and need this capital to generate new technologies. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.

The Google-DoubleClick acquisition has put online privacy at the forefront of government concern. Congress and the EU have scheduled hearings on the impact that these two companies will have on consumer’s online experience. Proposals for government intervention will surely be considered in order to control how information is used and stored. The debate as to whether there should even be state intervention in this country appears to have begun.

Previously, we explored whether you should be issuing and relying on email disclaimers. This week, we look deeper into email communication to find out if your emails are considered private communications or not.

When speaking with audiences, this is a topic that generates a lot of questions, opinions and sometimes controversy. While everyone is entitled to his or her opinion on the topic, we wanted to take a look at any legal grounding to form a more complete answer.

In the business world, the answer is pretty clear: if you are using the resources of your company, then you have no expectation of privacy. However, what about when you’re using your personal email account, on non-company resources? Do you have a reasonable expectation of privacy for those messages?

The crux of the argument here is one of the fourth amendment. Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.

Think about that for a second.

This has implications for both you personally, and for your organization. What standard is the government required to produce in order to obtain your email records? As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.

Based on a landmark ruling this past summer, it appeared the easy answer was “yes.” In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy” in their e-mail communications.

No so fast
Yet what was hailed as a victory for privacy advocates was short-lived. Just days ago, on October 9th, 2007, the 6th Circuit granted a rehearing en banc, thereby vacating their earlier decision. This is significant, as an en banc hearing means that instead of the usual three-judge panel decision, all sixteen active judges of the Court will hear this case.

The humble beginning
The decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses. The government obtained a court order directing ISP Yahoo! and NuVox Communications to turn over information pertaining to Warshak’s e-mail account. The order was issued under the Stored Communications Act (SCA) of the Electronic Communications Privacy Act. The SCA requires the government to show that there be “reasonable grounds to believe that the contents of a wire or electronic communication…are relevant and material to an ongoing criminal investigation.”

The government argued that the court order issued under the SCA to the ISPs were not searches but rather compelled disclosures, akin to subpoenas. As a result, the higher burden of probable cause required under the 4th Amendment for a search and seizure was inapplicable. The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a” a 4th Amendment violation.

Why is email different?
Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box. Americans naively assume that e-mails a private and require that the government seek a warrant supported by probable cause to access. Whereas telephone calls due have this judicial standard, e-mails today are not afforded the same level of protection due their technological differences.

The seminal case that enshrined our privacy laws was Katz v. United States
. The Supreme Court held that that the 4th Amendment protects individuals against unreasonable searches and seizes if an individual can justifiable expect that is communications would remain private. Justice Steward wrote that “no less than an individual in a business office, in a friend’s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the 4th Amendment.”

The government argued that e-mails are not analogous to telephone communications because they require an intermediary. E-mail works by breaking the contents into individual packets that are routed to the senders ISP. The ISP then stores and copies the e-mail on their server before transmitting it to the recipient. The government’s theory runs along the lines that since the ISP stores and copies the e-mail, the information was voluntarily turned over. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause.

Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.

Fallout of the Decision
So what does this mean for you and me? The Court will hear the case again and determine whether the government’s action were in violation of federal law. While it is always difficult to predict the outcomes of such a case, the issues raised by Warshak should be of concern to all Americans. The decision of the court will be one of the most important decisions involving fundamental Constitutional protections. Due to the prevalent use of new technologies, Americans are not being adequately protected by federal statutes. The need for the courts like the 6th Circuit to establish clearer guidelines to the government and Americans is critically needed to prevent confusion and abuse in the digital age.

In the meantime – remember that email works on a store-and-forward system, and if you are not willing to read what you wrote in the newspaper, you may not want to send it.

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.

Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

By participating, you’ll be helping some grad students – and we’ll all get the results with a podcast! We only need 100 people to help – please take a few minutes and share your experiences.

Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.

Here is some additional background.

The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.

The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.

The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.

Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

If you’re like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?

During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.

It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:

Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.

So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.

Can e-mail disclaimers guarantee the privacy and confidentiality of documents?

Generally speaking, e-mail disclaimers are not legally enforceable.

The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.

One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.

If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send

1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.

I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).

Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use – please start with your requirements and then select your solution.

2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.

Think about it – how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.

While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.

3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).

Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.

In the end, some do, some don’t and you get to chose

Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.

Meet Patrick
Patrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal. He speaks Spanish, French and Arabic.

“You must be the change you wish to see in the world.”
-Mahatma Gandhi

In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.

Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:

• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club – unique coaching, job-aids and the ability to practice and improve

The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.

We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.

Watch for ‘Change is Good: Part III’ next week.