It seems that one major online breach after another occurs: One breach hardly has time to clear the news cycle before another occurs.
Here at The BTW alone we’ve discussed the following major data breaches over the course of just the last month or so: CitiGroup, Sony, and the Pentagon (the Pentagon!).
In talking with small and medium businesses (SMB) in particular, many aren’t sure where the main liability lies: Whether companies aren’t taking the proper precautions to protect data (which would be more of a human failing, whether error in use, poor planning of protections) – or – whether the problem is inherent in poor software, firewalls, authentications/encryptions, and so forth.
Internet security is paramount. It’s not “insurance,” however. Insurance is what you purchase in order to recover from a bad outcome, if one happens. Internet security, however, is the protections that prevent a bad outcome from happening in the first place.
Speaking of the internet: Many SMBs aren’t fully aware of what Cloud computing is – if they’re aware at all – even when utilizing it! Therefore, when migrating storage, process, access, etc., in either discreet ways or as holistic solutions, security is often a back-of-the-envelope consideration. This is a huge mistake.
Let’s face it: Even large enterprises – the most “sophisticated” (we hope) environments – are struggling with security and poor outcomes. For SMB, it’s a real challenge: Many SMBs don’t know how to define what the Cloud is. And yet, according to Trend Micro, many are using cloud-based applications for such things as human resource management, or customer relationship management (CRM) – “…but don’t associate those apps with cloud computing”, according to Ian Gordon, Trend Micro Canada’s marketing and channel chief.
One has to wonder what their vendors are telling them when selling and instituting these “solutions” if the customer doesn’t even understand what they’re buying. And security? How do you secure something you can’t articulate in the simplest of terms? How do you assess what your vendor is doing?
Food for thought: If you’re “IT,” be certain you tell your business stakeholders exactly what is being implemented and what the advantages, and any liabilities, may be. Get full understanding and approval.
If you’re “Business,” understand the technology that you own, pay for, and use. It’s not that difficult to have a pragmatic understanding for where things reside, what business value they deliver, and what special accommodations must be made in securing and progressing the environment.
Get on it.
NP: Jive Samba, Cannonball Adderley, jazz24.org
It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification. These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.
These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations. In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).
As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”
If transparency is key, as one of the stated goals, then I wonder why no mention of government? What of government breaches? Is there the same timely notification requirement for various agencies? In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.
It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.
I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets. Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem: human error.
Joe McNamee, the head of European Digital Rights, says: “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.
I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.
Meantime: I’m back to government: What is their duty in notification of breached agencies and harbored data? Nothing I’ve read has indicated government’s oversight of… government.
I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.
I’d like to hear from you. What are your thoughts on “breach notification laws”?
Stay safe out there.
NP: Elsa, Cannonball Adderley, jazz24.org
The Pentagon is supposedly mounting a new cyber security initiative following the loss of 24,000 files. They were actually stolen from a defense contractor but, as in any organization, the organization is ultimately responsible for the actions and activities of all subordinate elements: contractors; vendors; solutions partners; individuals.
I also use the word “loss” for a very important reason: Whether the Pentagon still has copies of the breached, stolen, files or not – they are lost in the sense that their exclusivity, their protection, and their discretion has been stolen.
The files truly are not what they once were – and that is theft and loss.
Here in the BTW, we often speak of The Responsible Forward Edge (RFE). It’s a proactive, aggressive, forward posture regarding survey of risk, mounted protections, and the comport with best business/IT practices. Best practices means constantly updated practices in accordance with evolving threats and the evolving security measures to counter them.
The responsible organization does this pragmatically, for sure: There’s budget to consider. Other resources factor too: time, available personnel for implementations and support, etc. But today, there simply has to be a schedule of survey of liabilities – even if none seem to exist today, tomorrow they will: Our environment is not static, and the number and nature of threats are not static either.
What makes the Pentagon’s hack so dismaying is that “foreign intruders” made the theft. According to Deputy Defense Secretary William Lynn, terabytes of data have been stolen over the past decade, involving “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”
In this case, Lynn didn’t specify a country for the attack, or even whether it was a country versus the work of simple criminal hackers. However, a large part of the Pentagon’s new cyber security initiative is to share classified threat intelligence between defense companies. Hmmm… someone couldn’t have thought to do that a decade ago?
This should have been routine. A lesson for all organizations is to get your people thinking, imagining, and working together. Organizations should have, at a minimum, quarterly meetings with a significant block of time dedicated to security. Employees, security oriented and otherwise, should volunteer what they’ve heard regarding threats, solutions, other outcomes. Qualified personnel can vet ideas and threats – but it’s a nice exposure, and gets the organization thinking. Remember too to solicit and share ideas between regional offices, and between all partnering-organizations.
At the same time, IT can warn of social networking liabilities, breach conditions to avoid, and so forth; they can reinforce Acceptable Use, Content, Security, and other policies.
On this day, July 16th: In 1926, National Geographic takes the first natural-color undersea photos.
An interesting thing happened to me on the way back from my mailbox the other day.
But first: I had a debit card that was getting increasingly difficult to use. The magnetic stripe on the back had a scratch on it, and I often had to swipe it three or four times to get it to read. So, I called the bank and requested a new one. I haven’t had to replace a card in a long, long time. I figured the new one would come with instructions to call a number for “activation.”
Interestingly (well, at least to me), when the card showed up, the accompanying letter made no mention of any need for activation. It did take care to tell me the card could be used at “millions of Visa ® merchant locations.” It talked about “free access to cash” at qualifying ATMs. Further, the letter was so helpful in telling any recipient that $300 cash was available each day, as was $1,500 in purchases.
Representing the most help, perhaps (particularly for thieves), was this informative sticker on the card itself! [Capitalization is exactly as on the sticker] –
This debit card works at all Visa merchant locations.
Press the CREDIT button and DO NOT INPUT YOUR PIN.
Funds will be deducted from your checking account
and there will be no transaction fee.
It really is nice not to have to fuss with a PIN. But here, we’re at a point of diminishing return: By making the card easier to use for the consumer, we’re also opening a very insecure avenue, yielding a breach potential: Unauthorized use of the card for THEFT. [Those caps are all mine].
The letter had a 1-800 customer service number and I called it. I wanted to confirm that the card was ready to use, absent any proactive activation on my part. The representative confirmed two things: 1) The card was ready to use, and 2) that, upon my direct query, the card indeed had been ready all along, as delivered to my mailbox.
Couple worrisome things here. There have been times, not too often but more than a few, where my neighbor’s mail has been delivered to my mailbox. In fact, this has happened at several addresses I’ve had over the years. I’m sure there has been mail of mine delivered elsewhere – in fact, I remember people walking stuff over here and there.
In the event this card had been placed in the wrong mailbox, there is the possibility that someone would be tempted to take the card and use it. The envelopes for these cards do not disguise the fact that they contain a card – you can readily feel a card just by picking up the envelope. Consider too that someone could tear an envelope open without noticing it’s meant for someone else (in fact, I’ve done it). Once open, there’s a nice sticker advertising the fact that you hold free money in your hand.
Of course, with all of the surveillance systems today, it would be distinctly unwise to use someone else’s card without authorization. But that doesn’t preclude kids, or stupid people, or even someone adopting a disguise and walking up to a machine, from gaining some ready cash… from… you.
I don’t like it. What do you think? Aren’t we supposed to be getting tighter as regards security?
Also, keep this in mind: Removing the need to call and authorize/activate a card takes a bit of a burden off the financial institution. But… presumably any burden regarding security is something a bank is precisely supposed to be offering.
Call it a service. :^ )
On this day: In 1836, U.S. Patent #1 is granted for locomotive wheels (after 9,957 unnumbered patents).
Does your right to remain silent, as protected by the U.S. Constitution’s Fifth Amendment, extend to encryption on a personal laptop?
It’s an interesting subject, and one that might be settled soon – by the Supreme Court. A woman accused of, and being prosecuted for, a mortgage scam in Colorado is under pressure to disclose her passphrase for decrypting her laptop, which police found in her bedroom upon the raid of her home – she has refused.
The Obama administration is asking a federal judge to order the defendant, Ms. Ramona Fricosu, to decrypt the laptop. As a slight aside, prosecutors don’t want the passphrase itself. They want Ms. Fricosu to simply type it in, and make the files available in their decrypted form. This may seem a minor point, but it does remove any wrinkles that may be encountered upon court rulings that make divulgence of the passphrase itself a protected item within the Fifth Amendment’s protections.
At the heart of the matter is whether a defendant can be compelled to serve up something from the privacy of their mind: Other courts have ruled that protections extend there. Prosecutor’s, however, liken passphrases to physical keys, and defendants can be made to produce keys to safes, for example. It’s an interesting situation.
One could make the argument that forcing a defendant to divulge a passphrase (or password, encryption keys, etc.) enters the realm of breaking protections against self-incrimination. While the Supreme Court has not yet ruled in matters such as these, lower courts have – and their rulings have, essentially, gone both ways: In one case stating that an individual did not have a Fifth Amendment right to keep files encrypted; in the other, that the defendant did – thus “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination.”
Ms. Fricosu is charged with money laundering, wire fraud, and bank fraud in an alleged attempt to gain titles to homes via falsified court documents. She’s facing up to 30 years or more in prison.
For the rest of us, with – hopefully – more mundane privacy concerns, we can understand a desire to keep business secrets, diaries, and privileged communications from friends and associates private.
For us, and most definitely for business, the case does bear watching.
On this day: July 12, 1962, the Rolling Stones make their first public appearance (Marquee Club, London).
According to a top Homeland Security official, testifying before a hearing of the House Oversight and Government Reform Committee, computer software and hardware is being imported to the United States pre-loaded with security-defeats and spyware.
Greg Schaffer is Acting Deputy Undersecretary for National Protection and Programs at the Department of Homeland Security (at least he’s not the temporary acting deputy under… there are those too).
Schaffer made a disturbing statement in response to a query by Rep. Jason Chaffetz, R-Utah, who first took care to state “the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States … poses, obviously, security and intellectual property risks.”
Rep. Chaffetz then asked, “A) Is this happening, Mr. Schaffer? And, B) What are we going to do to fight back against this?”
After a moment’s obfuscation on the part of Schaffer, the representative sharpened his query, “Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?”
Schaffer: “I am aware that there have been instances where that has happened.”
The panel is considering a government proposal to tighten controls on imported computer equipment for use by critical government and communications infrastructure.*
It would seem to me that that area would already have the highest possible standards. How many times have we stated here that protections must lead threats, not lag, and that a proactive, provocative security awareness is necessary?
The hearing didn’t tease out whether imported equipment included consumer-grade technical components and software like retail media, laptops, desktops, consoles, etc. However, if it’s determined that there’s a necessity to survey those imports, watch for consumer-grade items to jump in price, as cost of inspection and survey gets added to the bill.
* Meantime, the government isn’t doing everything possible to inspect and screen their own components? In the age of botnets, key-logging software, password discovery mechanisms, encryption-busting and other software that defeats and disables existing security programs, there’s no excuse. The missing existence of a progressive, matching, security posture and aggressive monitoring and survey/scrub for malfeasance is unaffordable.
Further, when an aggressive program is in place, that program is affordable because there is no cold-start mount in the face of extreme security perils: It’s kinda like riding a bike uphill; you get a good start on the stretch, and are then able to pedal into the hill… eventually, you get back on level ground and your effort eases – but you don’t relax – you’re readying for the next hill. However, if you start on the hill, it’s tough to get going.
What has the government been doing if it is just now acknowledging import of infected components? And… further, it is just now considering more stringent controls? It’s past time to pedal faster.
For your environment: True security demands an aggressive posture. Be certain to have the right mind-set in your organization. Review the security-themed posts here as necessary.
On this day: July 11th, 1798 Congress creates the Marine Corps.
From Morgan Stanley comes word that two unencrypted CDs have gone missing. They were sent, and actually delivered – to a government tax office; the New York State Department of Taxation and Finance.
However, apparently the package containing the CDs has either gone missing from the desk of the recipient – or – the package arrived at the desk, seemingly intact, but did not contain the expected CDs… depending on what article you read. One thing seems fairly certain, being that Morgan Stanley has issued an apology and warning: The two CDs were sent, did not reach the intended recipient, and are missing.
The CDs are password protected, but that’s mere child’s play these days for anyone who wants to break a password. The idea that these sensitive discs, by virtue of very sensitive data, were not encrypted is quite hard to believe. Someone was either too lazy to follow a protocol and perform the encryption, or – worse, Morgan Stanley has lax policy and standards regarding encryption and protection of data.
If one person is remiss that’s – literally – one thing. That person can be disciplined, trained, or fired. However, if there’s lagging policy and standards regarding data protection, handling (certified mail anyone? Secure courier service?… etc.), and encryption – then that’s indicative of a systemic, organizational, fall down. It’s time for a complete survey of business and IT practices, training programs, and day-to-day standards and comprehensions at Morgan Stanley.
The bank has had to notify customers that, at the least, names, addresses, earned income on investments, and tax ID numbers may be compromised. Social security numbers frequently serve as tax ID numbers, and Morgan Stanley has offered a year of credit monitoring services for clients whose SSNs were exposed.
Morgan Stanley was notified on June 8th that the CDs were missing. An exhaustive search was made through all facilities the CDs and associated package passed through – however, it wasn’t until June 24th that Morgan Stanley notified customers – via mail.
Remember: Your number one asset is your reputation… your next asset is your customers. Without those, your employees don’t have much reason to show up. Take a look at your business processes and associated security – now.
On this day: On July 6th, 1924, the first photograph was sent across the Atlantic by radio, from the US to England.
Google has reported it gave user information to the Federal Government 94% of the time the government requested it.
These requests are allegedly parts of criminal investigations. Still, it raises the question: Does government have the right to demand information from a private company?
Yes, it does in any of three ways:
1. A grand jury can send a subpoena to a company.
2. A Federal judge can sign a search warrant; an FBI agent delivers it to the company.
3. An FBI agent, or any Federal agent, may write his or her own search warrant; authorizing himself or herself to search the company.
This may be of interest to some readers here. In fact, it should be of interest to all readers – and in particular, to business stakeholders. I define “business stakeholder” very broadly: From a temporary worker at a desk for a day, to the senior executive class, and everybody in between.
In other words, if you’re under a business’ roof, doing business on business’ behalf, you’d better exercise care in what you’re doing:
You must secure and protect business reputation;
you must secure and protect your own.
Remember this: Business’ #1 asset is not “our people” – as business so often likes to say: “Our number one asset is our people.” No. Business’ #1 asset is its reputation: Lose that, and your people won’t have a place to work.
Can Google give private info about what you’ve Googled to the Federal Government without you knowing it? Well, they have been. Here’s the number of Google’s deliveries to government requests, July through December 2010:
(Source: Fox News)
Government is starting to peer into many of the things were doing, potentially invading our privacy. Is government avoiding the 4th amendment, which protects citizens from unreasonable search and seizure, by going to a private company? Further, what are the privacy and business implications when the government asks an enterprise such as Google for employee activities when under any business’ roof, on business time?
Does any consumer or business (the user of Google’s services) have an “unwritten contract” that Google will keep Google searches to themselves?
The answer is: No. There is no written, or unwritten, guarantee of discretion, and no promissory estopple. Thus, for individual and business alike, there are serious issues and vulnerabilities. What are Google’s standards for giving information to the government? Do they just cave in to requests? Do they have their internal lawyers call the government and qualify these requests to any degree? What are the criteria for denial or acquiescence?
In some ways, the government is asking the private sector to act as their… spy, essentially.
This is why, in the age of eDiscovery, it is essential for businesses, large and small, to have robust and clearly understood Acceptable Use policies. Security policies. Content Management policies. Further, make certain that employees understand and adhere to policies – and that they know the consequences for misuse of content, search engines, and other business resources.
Stay safe out there.
NP: Don’t Worry About Me, Sachal Vasandani
Today’s article follows on to yesterday’s Part I, where we discussed a relatively new company, Social Intelligence Corporation (SIC), and it’s offering of services to employers. Please see that if you haven’t already.
Someone made a great point (credit Steve Doocy of Fox News): What if you take a picture today of you hanging out with a friend, post it to a social networking account – and that friend becomes a felon in the future? Is SIC going to deliver a future report to a prospective employer, stating that you associate with known felons?
Max Drucker, CEO of SIC, answered the question as a definite: “Probably not.” That’s hardly reassuring, although he does say that employers are primarily interested in the following categories for screening applicants:
- Racist remarks
- Clearly illegal activity such as drug use
- Sexually explicit photos and videos
- Flagrant displays of weapons or bombs
“Those are the things we look for, we don’t look for associations.” But what will Mr. Drucker and SIC deliver in the event employers DO ask for associations? I can’t say with certainty, but I know this: SIC is in business to deliver a service. That service is, essentially, a background check on potential employees. SIC, and any service company, stays in business by filling the service expectations of clients – here, employers. When employers start asking for “known associations,” companies like SIC are likely to deliver.
Michael Fertik, CEO of Reputation.com, makes several interesting points. He notes that, at present, human beings at SIC are making nuanced, human, judgments about content and those people who generate it – people, in this context, who are prospective employees. However, it won’t be long before competitor companies seek to deliver this service to employers faster, better (in competitors’ minds), and cheaper – and this will involve… automation. Mr. Fertik’s points are well taken.
Here’s my take: Automation frequently delivers a “dumb” report regarding content. That is, there is no nuance, no judgment; there is lack of balance, and frequently a view to content that is a 180 degree diametric opposite of what that content might truly represent in its full context, outside the constricting view of a static report.
I made the point yesterday, in Part I, that someone might join an online group for purpose of monitoring; for example, a student might even join a hate site for purpose of a school report on such activities.
Consider what SIC would make of that…
NP: Two Degrees East, Three Degrees West – John Lewis/Jim Hall – Jazz24.org
We’ve discussed online social networking peril here at length, but there is now a new wrinkle.
In addition to keeping work accounts and personal accounts straight, and taking great care not to mix “friending” with “businessing,” employees now must contend with the Social Intelligence Corporation.
What is the Social Intelligence Corporation (SIC) and its allied mission? Nothing short of supplying potential employers with a comprehensive report of what you’ve been doing through social networking (and anything else online): The good, the bad, and that which will get you screened from any hope of working for whatever company to which you’re applying.
As a year-old startup, SIC rakes social media sites such as Facebook, Twitter, Flickr, et al, even blogs, and presents anything suspect to the employing agent: Again, perhaps a company that is considering you for employment. You mail a resume, you get a call, you interview – and at some point in the process – perhaps even upon receipt of the resume – the company engages SIC and requests your online history.
It’s hard to know if SIC is sick, or just the next step in employers’ due diligence and arsenal of tools in arriving at best employees and staffs. It does seem a little sinister that employers, and SIC, are raking the relative party of social networking in assessing candidates. I mean, I wouldn’t have wanted potential employers at some of my house parties back in the day – ya know what I mean? We’ve already noted that employers have been using Google to look up names and online presence of potential employees. This takes it to a whole ‘nother level.
Consider the case of one person: They merely joined a Facebook group called “I shouldn’t have to press ‘1’ for English. We’re in the United States. Learn the language.” Apparently, the SIC’s software identified the individual as having “…other obvious racist leaning or proclivities” merely through association. Seems a bit heavy. And what of someone’s membership whereby they’re merely monitoring such a group?
Just recently, the Federal Trade Commission suspended an investigation of SIC, by virtue of the fact that it appears to comply, for now, with the Fair Credit Reporting Act: In this case, SIC must be certain that clients (companies, organizations) advise applicants when something deleterious turns up on a report, with subsequent negative impact to potential employment with that employer.
So… beware. We’ve said it before, and I’ll say it again: Stay safe out there.
NP: Hungaria, Bireli Lagrene