Regulatory Reality

June 4, 2009  8:26 PM

Why financial institutions might want to keep an eye on the energy industry.

David Schneier David Schneier Profile: David Schneier

Through an odd turn of events over the past few months I’ve found myself actively engaged with a group that’s focusing quite a bit of effort on NERC CIP. For those of you not in the know, NERC (North American Electric Reliability Corporation) is to the energy sector what PCI is to the credit card industry and CIP (Critical Infrastructure Protection), like the PCI-DSS, is a set of controls that need to be complied with. My involvement came by way of a relationship I established earlier this year with a security firm that takes a really innovative and interesting approach to helping clients identify risks and vulnerabilities. The firm reached out to me because I have this soapbox and was looking for exposure. In the time since I’ve not only continued the conversation but have become part of group of security and compliance thought leaders that the company’s compiled to help further refine and focus their vision. As luck would have it, I happen to be actively engaged with a client that’s in the energy sector (I was brought in because of my SOX and PCI genius) and so here I am with my worlds converging on me….. again.  As such I’ve been thinking about NERC CIP quite a bit these days despite typically hanging around banks and credit unions.

So why am I bothering to bring this up? I mean, this site is focused on the financial world not energy. And it’s not like there’s ever any shortage of things to discuss with regards to security, compliance and the financial verticals.

Because NERC CIP may prove to be the standard that ultimately becomes the framework used by President Obama’s administration as a baseline for national cybersecurity measures. It’s already federally mandated, courtesy of the Federal Energy Regulatory Commission (FERC) which oversees NERC, it’s high-level enough to work across business verticals (though it would need a reasonably thorough rewrite for which I hereby volunteer to help with), and has already been validated as strong enough to be used to make sure the electric grid is not needlessly exposed. And at this point in the evolution of information security and regulatory compliance, I doubt there’s a need for yet another new framework. So I’m putting it out there right now that I’m betting money that the soon-to-be-announced cyber security czar will eventually find his/her way to NERC CIP and recognize it as a viable baseline.

Here’s the view from up-high:

  • CIP-001-1 Sabotage Reporting
  • CIP-002-1 Critical Cyber Asset Identification
  • CIP-003-1 Security Management Controls
  • CIP-004-1 Personnel and Training
  • CIP-005-1 Electronic Security Protection
  • CIP-006-1 Physical Security Program
  • CIP-007-1 Systems Security Management
  • CIP-008-1 Incident Response and Reporting
  • CIP-009-1 Disaster Recovery

You have to admit, it’s straightforward and pretty much covers what’s needed. And yes, I know, there’s way more detail to be found underneath the section headings but let’s keep it simple for the purposes of this post. What else would you want to include for a federally mandated cybersecurity framework?

As for why this seemed like a good topic for this particular forum, it’s really quite simple: Something like NERC CIP is coming soon to every business vertical and not just those within shouting distance of the financial industry. And it will potentially be here before anyone can even say “Happy New Year’s” again. While most of those in the banking sector are already accustomed to such requirements almost everyone else isn’t. With PCI having been a shocker, I can only imagine how this is going to play out. I’m just using my digital pulpit to try and jolt people into thinking about what’s rolling down the regulatory highway towards them so that when the headlights are upon them they’ll maybe be just a little bit prepared.

As an aside regarding President Obama’s press conference last week discussing the cybersecurity 10-point plan, the only truly great thing to come out of it was the fact that it pushed information security to the front pages for the day. Professionally speaking, I thought it lacked any real bite and while I know these things take time I was expecting that there would at least be dates and names aligned against the bullet points to set expectation and assign responsibility. Considering that the plan was based on a report generated by some pretty sharp minds who were likely ready to begin rolling weeks (if not months) ago I was less than thrilled.

May 29, 2009  2:44 AM

Information security pros (and cons).

David Schneier David Schneier Profile: David Schneier

Ever since I first started blogging I’ve worried that there would be weeks when I would simply draw a blank when it came to finding a topic worthy of the audience’s time and attention. While I may have hit the occasional bump in the road with posts that weren’t of the “keeper” variety, I’ve been relieved that my day-to-day experiences have never left me short of ideas. But every once in a while I come across a nugget, a relatively minor kernel of an idea that while potentially interesting isn’t by itself enough to fill the page. And so I tend to keep a list on the side that I use to simply jot these things down and review every now and again.

So imagine my surprise that when I added my latest little bit of genius to the list a pattern presented itself to me that hadn’t been there even a week ago.

For those of you plying your skills as Information Security professionals, I need to warn you what follows is potentially inflammatory, insulting or validating; it all depends on how you look at your career.

I was stunned a few months back when I noticed on LinkedIn a new application called “TripIt.” The main idea of the application is to enter and track your trips, be they business or personal, including locations, dates and a general description and then post it on your LinkedIn page. The end result is that everyone who can view your LinkedIn profile can also see where and when you’re traveling. My first thought was that it was just a bad idea within the professional domain. It’s a common rule within the infosec space that you should never send email auto-replies to anyone outside your company indicating that you’re out of the office lest it provide hackers with an opportunity to try and hijack your account while you’re away. That rule also applies to voice-mail greetings for the very same reasons; it’s just too much information. The first five people who I noticed using it were, gulp, infosec pros.

Then two weeks ago, I was conducting fieldwork during which a tremendous amount of pomp and circumstance was placed around physical access controls that were designed and implemented by a group of security folks; they had followed a tried-and-true recipe in designing the related controls. From the outside looking in, everything looked great. From the inside looking out, there were more holes than on a golf course. While at a fundamental level their critical data was exposed to very little risk as a result, the amount of peripheral damage that could’ve been done elsewhere was substantial. I’ve been known to complain in the past about controls that look great but don’t work, but in this instance I was disturbed by how obviously smart people had simply followed a canned recipe without truly thinking things through and validating the effectiveness of what they’d done.

This week I’ve had the opportunity to review two resumes from people who are likely way smarter than I, both are information security consultants. Both individuals listed accomplishments and capabilities within the security domain that pretty much touched on just about every segment of the infrastructure. I believe I have a good nose for legitimate resources and both of these people presented themselves quite well at the bits and bytes level. But neither of them tied their experience back to solving business issues. With all of the well publicized work around mandates and regulations (e.g. PCI, data privacy, NERC, SOX, etc.) you’d think there would be some attempt to connect their experiences back to something someone in the executive suite would appreciate or recognize.

Maybe I’m over thinking things but shouldn’t people who advertise themselves as information security professionals be a little less binary and a bit more aware? While it’s important to have devices and software configured properly, isn’t it that much more important to be contextually aware and understand what’s needed to protect the business and its information assets?

This has become something of an issue for me lately as I’m working with multiple clients who are dealing with a broad range of challenges. I’ve become increasingly aware that there’s more than just a fine line between a security engineer and a security expert. One can tell you all about firewall rules while the other can tell you where to install them and why. One can work their way down a checklist ticking off to-do’s (think PCI self-assessment) while the other considers the applicability and risk of each item before so much as touching the keyboard. And yet both tend to present themselves similarly and they’re not.

If you’re truly an infosec professional you need to display that in how you make choices (restrict the personal information you share with the digital world), in how you conduct your work (design controls, try and break them and then close the gaps) and in how you decide what’s necessary and sensible (encrypt credit card data but also make sure sales people aren’t writing down non-public personal information on scratch pads). Don’t become an expert on tokenization and think that qualifies you to design a complete PCI security plan. Don’t advise your clients/users on proper security practices and then go out and fail to follow your own advice. And don’t ever think that because you’ve satisfied some regulation or framework that you’ve gone far enough to mitigate or manage risk.

In this day and age, with the threats to our digital assets greater than ever and with increasing pressure being brought to bear by government and industry regulations, it’s more important than ever that the right people be put in the right positions to help address these myriad challenges. And it’s more important than ever to understand that not all information security professionals are alike; decide who shall lead and who shall follow and be sure to chose carefully.

Next time out I have some interesting insights to share regarding NERC, so be sure to check back next week.

May 23, 2009  6:53 PM

Red Flags and contractors

Marcia Savage Marcia Savage Profile: Marcia Savage

I attended an ISSA-Silicon Valley chapter meeting this week, where the featured speaker, Jim Anderson, gave an interesting presentation on the Red Flags Rule. For the uninitiated, the rule – issued by federal regulators in 2007 – requires financial institutions and creditors to have a program for spotting red flags that indicate possible identity theft. Anderson, who is president of consulting firm Professional Assurance in Pleasanton, Calif., and has 12 years of experience working in commercial banks, stressed that the Red Flags Rule requires organizations ensure their contractors are compliant. High up on organizations’ Red Flags to-do list is notifying relevant third parties of their obligation to comply with the rule, he said.

In a phone interview after the meeting, Anderson said the main types of service providers that are subject to the Red Flags rule are one that are involved in the process of evaluating credit worthiness or that process credit-based transactions. Those service providers need to demonstrate to their customers that they are compliant with the rule, ideally with a written identity-theft prevention program, as called for in the regulation, he said. If the third party can’t provide definitive evidence of compliance, they should be put on notice that their contract may be subject to modification or termination, Anderson said.

“The regulated entity, the one with the covered accounts, is responsible for compliance, but what Red Flags does is raise the visibility level of third parties and that they have to be considered in one’s compliance,” he said.

May 20, 2009  7:31 PM

IT Security: Something has to give.

David Schneier David Schneier Profile: David Schneier

My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it’s a case of the old “if it wasn’t for the last minute nothing would ever happen” philosophy).  And in authoring some of our reports we’re identifying issues and gaps that are in some cases minor but in others are big enough to drive a car through.  This is nothing new.

What is new is the ambivalence we’re experiencing from management.  It seems that a little known byproduct of our currently sad economic state is that keeping the doors open seems to be the only goal that really matters.  Management is not particularly concerned with much else, or so it would seem.  Not that this by itself is a new phenomenon either but there’s almost a reckless undertone emerging.

We’ve encountered some glaring issues recently that underscore a fundamental problem that I’ve struggled with for a long time: The FDIC and NCUA examiners just don’t pay enough attention to IT-based risks.  In some instances they touch on high-level issues and in rare instances can get a bit more granular, but we’ve collected empirical evidence that an in-depth review hasn’t been conducted for the vast majority of institutions that we’ve worked with.

Forget about industry best practices and forget about the fact that financial institutions are required by law to implement and maintain certain basic safeguards.  We live in an age where identify theft and credit card fraud are rampant.  Every day we are presented with more stories, more guidance and more information about how the criminal element is finding newer and more insidious ways to get at our money and credit.  My senior citizen mother and my grade-school aged children are all aware of the term phishing, have all been coached as to which email is safe to open versus which isn’t and know not to share personal information.  If I can convince them of the threats out there in the great digital void you have to think it’s fairly obvious, right?

So why is it that the examiners aren’t paying more attention to the IT infrastructure?  I had a chance to ask someone from the NCUA office a few months back that very question and while I didn’t like his answer, it made sense particularly considering the more pressing issues banks and credit unions are currently dealing with.  It comes down to resource availability.  Only so many hours are allocated to an exam  based on their size.  And so for the smaller institutions, the examiners prioritize the work based on risk.  Can anyone argue that scrutinizing the books is less important than auditing the IT infrastructure?

Even so, some of the institutions we’ve worked with and which I’ve personally reviewed have had issues for what has to be several years.  How is it possible that in the past five years not one examiner has ever noticed the absence of a business continuity plan?  Or any form of security around the firewall (and an unusually permissive firewall at that)?  Or the lack of strong (or even reasonable)  password controls?

Something has to give.  When you combine the lack of proper examiner supervision with a less than concerned management mindset the potential for serious issues becomes much greater (and likely).  Somehow the various entities that are responsible for providing oversight for those places we trust with our money need to figure out a way to provide reasonable assurances that at least the bare minimums are being met when it comes to IT controls.  With all the money being spent to keep the banking industry afloat can’t someone figure out a way to slice off a little bit in order to hire enough IT people to conduct the necessary examinations?  Congressman?  Senator?  Mr. President?  Anyone?

May 14, 2009  6:38 PM

Who put the G in GRC?

David Schneier David Schneier Profile: David Schneier

I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years.  I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been RGC.  But as a discipline and as an approach to designing and implementing controls I’m all for governance being used as the driver to assess, measure and manage risk.  And of course if you’re properly managing risk you’re also naturally falling into alignment with all things compliance.

For the most part whenever I see references to GRC in the marketplace it almost always is associated with a software product and not a discipline or a methodology.  And in those rare instances where it is in reference to something being practiced it’s often depicted as an advanced formulaic concept that requires a PHD to understand, let alone practice.  But I’m certain that’s going to change.  With all of the layers of regulatory requirements already placed upon Corporate America and with the very real threat of even more looming large on the horizon I know that eventually companies and institutions are going to be forced to abandon their all-too-common one-off, silo-centric approaches to compliance and commit to a single, well thought out governance program.  My best guess is that once the economy begins the slow, steady climb out of its current abyss we’ll start seeing signs of progress on the this front.

And so I’m always monitoring the GRC landscape looking for subtle shifts and changes that may indicate a new advance or important discovery.

Two weeks ago one of those subtle shifts landed tap-dead center on my GRC tracking radar only it wasn’t so subtle.

While working for a client who is suddenly confronted with the demands of a brand new set of regulations I committed to building out a cross-reference matrix by which they can identify commonalities between their different frameworks and look for economies of scale in the work required to comply.  But I’m sometimes lazy and decided that somebody somewhere must have already done something like this; I’m smart but I’m not often the first one to think of something.  And so a-Googlin’ I went.  Imagine my surprise when I not only found what I was looking for but also found that there was a company that created a product that incorporates pretty much every regulation currently known to civilized man and developed a master cross-reference to illustrate all of their interdependencies.

The product is called the “Unified Compliance Framework” and for those people who understand governance and are committed to advancing it from theory to practice this is something akin to the Holy Grail.  Simply put UCF monitors the regulatory and industry landscape, identifies emerging requirements/frameworks as well as modifications to those that already exist and conducts an analysis to identify how it relates to other frameworks.  This allows any organization to take their existing control framework and use UCF to map those controls across the entire compliance spectrum identifying where one control satisfies multiple frameworks.

Think about that for just a minute.  If for example you’ve designed a control for password rules as part of your SOX framework you can use UCF to quickly identify which of the other frameworks that control addresses (several, by the way).  If your company conducts business in states that have or are about to have their own data privacy laws with which you have to comply (Massachusetts is the most recent) it’s very likely that not only don’t you have to re-invent the wheel but already have one to use.  UCF makes it easy to identify points of intersection thus making the impossible possible.  Or rather, it allows you to kill two (or more) birds with one stone (so-to-speak).

I’ve been railing for years against the common approach most companies use in which they design one-off solutions to align with the myriad frameworks they operate under.  But it’s been a difficult argument to establish and until finding UCF I’ve had to struggle to make my case.  But not any longer.

To validate my take on UCF I showed it to a colleague who is in senior management at a Fortune 500 company and who is himself responsible for IT Governance.  He immediately saw its potential and wanted to know who else was using it and how so.  I fear I’ve opened up a can of worms though because when I mentioned that I was researching early adapters of UCF he asked if he could join in on the interviews so that he can pick their brains and leverage off of their success.  I was looking for validation and instead inherited a partner.  But I feel as if though I’m helping create a mini-wave of excietment  in the governance space and I’m OK with that.

I’ll have more to share with you over the next few months as I continue to dig into how UCF is being used in support of GRC initiatives.  But in the meantime I encourage you to
check them out for yourself.  If you’re someone who has a governance role, hopes to have a governance role or simply wants a glimpse into the future of GRC it’s well worth your time.

May 7, 2009  9:58 PM

PCI compliance is not the end all

David Schneier David Schneier Profile: David Schneier

I was sitting in on a meeting this week during which a security review was being conducted for a proposed software solution for my client. The product was designed and hosted by a third-party vendor.

At first blush I was impressed with the scope and depth of the review; it was a comprehensive security assessment more than anything else. The questions being asked were the right ones, the information collected and reviewed seemed to substantiate the answers and the people participating in the review were all at once curious and knowledgeable.  The sum total of these parts equaled good things.

Until I noticed a comment embedded within one of the vendors’ responses.

In regards to the question “Does the vendor have a recent SAS 70” the response took a sharp left turn and drove straight towards the wrong answer. The vendor ignored the question and instead described how they’re PCI certified. First, that’s not the right answer because PCI is very narrowly focused on a subset of the infrastructure whereas SAS 70, in theory, is much broader when applied to a technology vendor. Second, PCI certified almost always means that a self-assessment questionnaire was completed by the vendor and submitted to their processor for validation. Unless the vendor is Tier 1 (which means they process in excess of six million transactions per year) there’s no external validation of the responses in the questionnaire. So you don’t really know how accurate or reliable the answers are anyway. Third, the vendor they referenced as conducting their quarterly scans was recently placed in remediation status after the PCI police found that they had violated QSA validation requirements. That’s not much of a confidence boost, is it?

In the end I suppose my biggest (and really only) issue with the process was that to the untrained eye the information presented looked great. But I couldn’t get past the fact that they blew right past the SAS 70 question and presented what appeared to those in the room as being a strong answer despite the fact it was the wrong one and fell apart under scrutiny.

Ultimately, I’m hung up on this one wrong answer and my reasons are twofold: Will people confuse PCI as a true security standard and if so, will the majority of the IT community go with the assumption that any framework applied and certified, authorized or approved is as good as the next?

I sure hope not.

Check back early next week because for those of you who dabble in governance I’ve got something really cool to share with you.

April 29, 2009  3:33 PM

Pandemic Planning: a quick update.

David Schneier David Schneier Profile: David Schneier

I wanted to post a quick update regarding the looming threat of a true pandemic event courtesy of the swine flu.

In the past forty-eight hours I’ve had conversations with three separate clients in which the subject of their pandemic response plans were discussed. Mind you the initial reasons for these conversations were completely unrelated to this hot news item but its on my mind and I would be remiss to pass on the opportunity to dig a little.

All three clients, all three, had no idea if their pandemic plan would work (one wasn’t even sure they had one). Two of them discussed how they had a mobile work force to begin with and it wouldn’t be a big problem to have everyone dialing in. To which I asked if they had ever tested their networks capabilities to handle everyone dialing in literally at the same time; the answer was no. Then I asked about some of their critical business functions that couldn’t be managed remotely, how would that be addressed if a general quarantine is declared; they weren’t sure. The third client had a very small remote work force where more than eighty-percent of their users relied on desktops during the business day. If their employees couldn’t make it to the office due to a pandemic event they pretty much were shut down for the duration. And in their industry that’s just simply not allowed. Their strategy has always been that only senior management and technology team members required a laptop and could manage issues remotely should they occur. But they never anticipated having an issue like this.

One of the clients was dismissive of my concerns that a general quarantine could be declared; “never happen” was the comment. So when I awoke this morning to news that President Obama is alerting schools to prepare for the possibility that classes will be suspended during this event I cringed. Typically I indulge in a bit of smugness when I’m right but not so much this time. This time I’m feeling a knot in my stomach.

I have concerns that in general our infrastructure is ill-prepared to handle a sudden and dramatic rush to using our telecom capabilities to run America remotely. I have further concerns that too many companies are going to be figuring out what to do by the seat of their pants. Some are small enough where that’s possible but many are way too big and would require advanced planning which now appears to be near impossible to get done.

I’m still not convinced that this threat is any greater than any other flu outbreak we’ve seen but I am concerned how we’re going to be able to respond (or rather not respond).

And as if though this isn’t a juicy enough story for me, the first confirmed fatality in the US from the swine flu was announced today. A toddler from Mexico was found to have had the swine flu; he passed away in a hospital in Houston. Guess where I am this week?

April 27, 2009  5:28 PM

How’s your Pandemic Response Plan looking today?

David Schneier David Schneier Profile: David Schneier

I started my day yesterday by finding my 12-year-old sitting with his eyes riveted on the laptop screen reading what I figured was something either on Facebook or a sports related website.  I only wish.  Turns out he was fixated on the breaking news covering the swine flu.

Much like his father, my son suffers from a very fertile imagination and can quickly move from Point A to Point Z without so much  as a blink of an eye.  He was already busy trying to figure out how bad this was going to be and because he had no context for something like this had no boundaries to keep him in check.  Suffice to say he was at least a little concerned.

I explained to him that the hysteria he was exposed to was more the result of near real-time media capabilities that span the globe rather than something worth losing sleep over.  While there was something to be concerned about it was no likely greater than anything we’ve already dealt with and that he should relax, wash his hands frequently and go on with his life.  And of course I immediately hid my copy of Stephen King’s “The Stand.”

I’m not really sure how large of a threat the swine flu represents, I only know that it serves as yet another reminder as to why it’s important that all financial institutions (as well as many other industries) have in place a functioning and well-designed pandemic response plan.

I recall how the guidance first emerged a few years back, largely in response to the avian flu that seemed so threatening at the time.  The FFIEC issued a number of documents to raise awareness within the banking industry so that the covered institutions had ample warning that they needed to develop and implement a viable plan.  Most did but largely to appease the examiners.  Of the dozens I’ve reviewed through the years, I encountered only a handful that presented anything close to something that would work.  Most of them consisted of background documentation explaining what a pandemic was and provided some specifications about personal hygiene.  But very few of them provided clear, concise steps as to how they were going to manage through such an event.

I’m concerned that this blind-spot in business continuity planning is about to be brought to light in a very bad, ugly way.

What’s going on in the media now is a bit alarming (and I realize the irony of me, a blogger, stating as such); the swine flu is being tracked much like a hurricane barreling towards the mainland.  President Obama commented on this earlier today, which validates that this is a major news item.  And when considering the aggressive steps Mexico is taking to slow the spread of the virus I can see where for the first time in my lifetime some form of government intervention may occur.

So here’s a question for all the banks and credit unions out there: Can you manage through a quarantine with a dispersed and restricted work force?  Do your employees even have a copy of the plan available to them and if so do they know how to use it and what their role is within it?  Because this is a lousy time to be asking yourselves these very same questions.

April 21, 2009  8:12 PM

FDIC: More than just a sticker on the bank’s door.

David Schneier David Schneier Profile: David Schneier

I opened my front door last week and found my industry waiting for me on my very own doorstep, seriously.

The Raleigh News and Observer had a story on page one about how U.S. Senator Richard Burr called his family during the early days of the banking crisis last Fall and instructed them to withdraw as much money as they could from their bank accounts via ATM in reaction to the onset of the economic crisis.  Apparently what he heard during closed door sessions with our government leaders scared him so much that he was willing to be amongst the first to start a run on our banks.  And the amazing part of the story is that he’s been fond of sharing this story during speeches in the time since as a way of underscoring how dire things were.

From the cheap seats where I write, I would have to say that the only thing the story itself and the retelling of it time and again underscores is that being a U.S. Senator does not indicate any particular ability to comprehend or apply information.  It also serves as a reminder that despite being presented with evidence to the contrary, people believe what they hear ahead of what they read.  Because every time you’ve been in an FDIC insured bank there are signs all over the place that clearly state that “Each depositor [is] insured to at least to $100,000”.

I recall earlier in 2008 when the first set of banks went under due to worsening market conditions Sheila Bair, the person running the FDIC, stated loud and clear that all depositors money was safe up to the $100k limit.  She calmly and rationally explained how things were going to work, how each depositor would have unrestricted and uninterrupted access to their money as if though nothing had happened and that there was absolutely no reason to panic.  And she was right.  In the months since that first time (with IndyMac) she’s had plenty of chances to hone her “all is well” mantra as one bank after another simply reached the end of their useful lives.

When people started questioning what would happen if they had more than the covered amount, Ms. Bair worked with the various financial leaders in our government to have that amount temporarily increased to $250,000 (good through at least year end, 2009) thus assuaging the concerns of that very small percentage of people who might have such worries.  But at no time since this nightmare began to firm up nearly a year ago has anyone even remotely paying attention been presented with any evidence whatsoever that there are legitimate concerns as to the viability of the FDIC.

As matter of fact (and of interest), the FDIC has always fulfilled its promise in any situation during which it was required to do so… always. Senator Burr should have known that all along.

Sadly in the time since the story broke Senator Burr has been doing a little two-step trying to soften the absurdity of his statements saying that he “did what many people did.” Well, no, not really. He acted based on privileged information and made certain to take immediate steps to protect his constituents, except it was limited to those living in his home rather than his home state. But he didn’t think to warn me, or you or anyone else trusting their leadership to look after their best interests. His assertion that other people did exactly the same thing, particularly those from North Carolina, doesn’t hold up under scrutiny either. I’ve asked at least a half-dozen friends (and fellow Tar Heels) over the past week or so if they ever thought to run to the bank last Fall and horde cash; none did. They all wondered why I was asking and I was all too happy to share with them the story of their Senator, Bank-run Burr (kudos to MSNBC’s Rachel Maddow for that clever nickname).

The good news is that the FDIC has all of our backs, unlike Senator Burr. The better news is that I’m registered to vote in North Carolina and will have the privilege to let the Senator know first hand whether or not I have his back come Election Day 2010.

April 14, 2009  8:00 PM

Is information ever truly secure?

David Schneier David Schneier Profile: David Schneier

I never post on consecutive days; often times I struggle to post on consecutive weeks when the ideas just aren’t flowing.  But after the day I’ve just had I have no where to go with what’s swirling around in my head and so to my soapbox I run.

Without bogging the story down in needless details (a specialty of mine) I was attempting to link my personal checking account to an investment fund I maintain.  Seems simple enough; I’ve done it before and as recently as last month with a different investment firm.  All that was required the last time around was to complete an online application via SSL after authenticating to the financial services firms website with my user-id and password.  Within twenty-four hours I was able to execute purchases and redemption’s freely and was a happy customer.

Not so today.

Today I was told that I needed to download an application in PDF format, complete it, mail it in and wait for the request to be processed.  Without thinking it through I asked the customer service representative (CSR) why was it that I could conduct the same activities with their competition (actually several of their competitors) online but not with them.  He replied that online wasn’t as secure as the manual process and it was for my own safety.  That was the way wrong answer to give someone who earns a living the way I do.  And so I hammered this poor, unsuspecting fellow with a barrage of questions about how can his company ensure the safety of my hard-copy form as it leaves my hands, enters into the US Postal system, is touched by several more hands before it lands in their mail-room, is touched by even a few more hands before winding up as a request in a computer system somewhere anyway?  And what about the original document?  Is it scanned and destroyed?  If not, is it stored in hard-copy somewhere?  If so, where would that be and is the location properly secured?  And who has access to that location?  And how often are the related controls tested?

He didn’t know the answers to any of my questions.

Indirectly what he did illustrate was that I would be forced to accept an unnecessary delay in the processing of my request due to the simple fact that his management has not kept current with technology.  Because really, in the end, that’s what this is all about.  Rather than embrace the (not so) new capabilities offered via online commerce they’ve instead continued using a poorly constructed blend of old and new capabilities to mask that fact.  And instructing their CSR’s to use the stock answer of “online processing is fraught with risk” as a way to justify their decisions is wrong.  The risks presented via online processing aren’t any worse than offline processing, they’re just different; a fact I can and have proven before.  I have yet to manage engagements that included dumpster diving which failed to yield enough useful information to make the lingering stench worthwhile.

And to compound my frustration the PDF files were not even formatted so that they could be completed digitally and printed off prior to signing them.  Honestly, it would cost them a few hundred dollars to purchase the appropriate Adobe product and save everyone a bunch of time.  I asked him about that and he didn’t have an answer for me, stock or otherwise.

When I repeated the conversation later on to my wife she instantly created a new rule that prevents me from dealing with these things going forward so as to protect decent, honest people trying to make a living from self-righteous bullies such as myself.

Oh, and one more thing to share.  Later on when we were at the bank getting our hard-copy forms authorized via the medallion authentication process (something new to me altogether) I was able to view the monitor as the bank CSR worked with another client.  They had account information displayed, credit information (I could figure out it was about a loan request) and had I my cell phone available could have easily been recording everything on the screen.  How hard would it be to angle the screen away from the reception area or use a privacy filter to block spying eyes like mine?  Sensing my frustration with this total lack of basic security my wife instantly created another new rule which now prevents me from offering unsolicited free professional advice and so I didn’t when it was our turn to sit with the same CSR.

Fortunately I have my blog so that I may vent.  And so, thanks for indulging me.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: