Free Security Awareness Posters from the U.S. Government

July 13th, 2006

Earlier this week the FBI and Department of Homeland Security in partnership made available free posters, "PROTECT YOUR WORKPLACE: What You Need To Know"

The press release about this:

"What if we told you there’s a way you can improve security at your workplace‚Ķtoday? That it’s fast, easy, and completely free? And that it will not only enhance your personal safety on the job‚Ķbut also help ensure the financial health of your organization?

It’s all true‚Äîthanks to a new ‚ÄúProtect Your Workplace‚Äù campaign launched by the Department of Homeland Security and the FBI.

Specifically, we’ve teamed up to produce a series of posters with practical suggestions for protecting your workplaces from both physical and cyber threats—everything from robberies and break-ins…to computer intrusions and corporate espionage…to identity theft and intellectual property violations…to even potential terrorist attacks.

By hanging these posters in common, highly-trafficked areas, you can raise security awareness and help prevent and reduce crime and terrorism in and around your place of work‚Äîwhether it’s a business, a non-profit, or a government agency.

The four posters, which are being distributed electronically to workplaces across the nation, cover the following topics:

  • Protect Your Workplace: Physical Security Guidelines, including monitoring who enters your workplace, reporting broken windows and locks, making back-ups of sensitive and critical information, and reporting suspicious activity and packages.
  • Protect Your Workplace: Cyber Security Guidelines for both employees and managers/IT Departments, such as managing passwords, establishing clear policies and procedures, implementing a layered defense strategy, and monitoring and logging successful or failed intrusions into your networks.
  • Report Suspicious Cyber Incidents, including suspicious e-mails and questions, system failures, and unauthorized access or use.
  • Report Suspicious Behavior and Activity, such as surveillance, suspicious persons, dry runs, tests of security, and improper attempts to get supplies.

We’ve also created a brochure that combines all the information on the four posters into a tri-fold that can be kept at your desk and shared with colleagues, family, and friends.

So how can you get the posters and brochure? It’s easy! Just click on the graphics above to download each of the posters. You can also download the brochure and all of the materials as a series at http://www.us-cert.gov/reading_room/distributable.html#work.

So take our advice‚Äîplease. Security is everyone’s responsibility. Do your part to prevent crime and terrorism and to protect your organizations by putting up these posters at work today‚Ķand telling your friends and associates to do the same."

You don’t have to provide any information to download the PDFs, so if you are not comfortable providing your contact information to obtain the printed posters and you have the tools to print off the PDFs, download them! 

Many organizations are strapped for awareness and training budget dollars.  If your budget is strained, you might as well take advantage of the awareness materials the U.S. tax dollars pay for.

Technorati Tags





Chief Privacy Officer Named for the U.S. Department of Commerce Today

July 13th, 2006

Government Technology today reported Robert C. Cresanti was appointed CPO along with his other current responsibilities as under secretary for technology.  I could not find an announcement about this on the Dept of Commerce site, however; I was hoping to get more info than provided within the report.

It is good they are appointing a CPO.  However, U.S. federal privacy and data protection governance would benefit from one CPO over the entire government; basically adding a cabinet position.  Then this position could coordinate privacy and data protection activities through CPOs assigned to each of the government agencies.  This similar type of system seems to work well for Canada

The scattered and uncoordinated data protection and privacy approach currently taken does not result in consistent regulatory enforcement or unified federal laws.  Some agencies have rigorous privacy enforcement activities while there seem to be none within other agencies.

Technorati Tags




The Insecurity of Mobile Computing

July 13th, 2006

Network World today (7/12) published "Mobile users face knotty security issues." 

There are some good points and information contained within.  Many are information security basics that good information security professionals already know, that information security must be implemented in depth and in layers, as transparent to the end-user as possible, to be effective.  It’s good to reiterate these messages to the IT folks who tend to read these publications. 

Too many times it seems folks outside the information security and privacy area think that security is addressed through just one action or tool…we need to raise the awareness of IT and business leaders so they understand that information security is achieved through a combination of many processes, plans, tools and activities…not just through a firewall or just by using anti-virus software.

"…secure mobile computing is a complex business."

Indeed!!  So many incidents occur…daily…involving mobile computing and storage devices.  Most are not reported to the public.  Most involve huge amounts of data.  Putting mobile computing devices and storage in the hands of your end-users is kinda like leaving your 6-month-old baby under the total care and oversight of your 7-year-old neighbor…some will be pretty responsible, but most will soon forget about the security and safety of that precious and valuable bundle you’ve entrusted to them; their attention spans are short and their awareness of the security issues is likely very low.

I personally love USB micro storage devices; they are so much handier to use than CDs.  Plus, some of the devices are very cool, too…I love the Swissbit USB tool.  However, the small small size and large storage capacities (I’m looking at some really small 2GB storage units right now) of these many different USB devices scare me.  How many workers are putting confidential company data onto these devices?  How many organizations know their workers are doing this?  How many of these are lost?  How many actually encrypt the data stored on these devices?  How many visitors to your facilities use these to take information out with no one the wiser?

USB storage is just one of the many complex issues to tackle with mobile computing.  There are so many more.

Technorati Tags





Another Government Computer Security Incident: Hackers Break Into the U.S. State Dept. Computers

July 11th, 2006

An interesting story just appeared on CNN, "Hackers target State Dept. computers."  Some of the more interesting excerpts from the story:

"Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."

The break-ins were reportedly discovered in mid-June.  It would be interesting to know how the hackers implanted backdoors into the computers.  Perhaps the admin and supervisor passwords were some of those stolen?  Were the passwords clear text files?  Or, were they poorly constructed so that they allowed a password cracker to gather them?  Sounds like at least two-factor authentication would be a good idea for all government computer systems, doesn’t it?

""The department did detect anomalies in network traffic, and we thought it prudent to ensure our system’s integrity," department spokesman Kurtis Cooper said. Asked what information was stolen by the hackers, Cooper said, "Because the investigation is continuing, I don’t think we even know.""

Well, it is refreshing to finally have a representative of an organization that has experienced an incident honestly report that he doesn’t know what was taken or compromised.

"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet."

"Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on. Cooper said the department has since fixed that problem."

I find the disabling of SSL interesting…wonder what type of protection they implemented as a compensating control?

Technorati Tags







Security and Privacy Contract Clause Considerations

July 10th, 2006

When you entrust business partners and vendors with your company’s confidential data, you are also entrusting them with all control of security measures for your organization’s data. That trust cannot be blind. Many recent privacy and security incidents have resulted from inadequate privacy and/or security practices within outsourced organizations handling another company’s customer or employee data. 

Christopher Grillo and I discuss this topic at length in our two-day information security and privacy workshop.  I just posted a paper, "Security and Privacy Contract Clause Considerations," to my Realtime IT Compliance site.  This paper covers the issues we discuss in addition to a table we created for our workshop that lists the types of information security and privacy requirements that organizations should consider including within contracts with third parties.  The table has been very helpful for organizations addressing outsourcing and partnering security and privacy issues, so we are making it available in the hope it will also be helpful to you.

Technorati Tags





What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy

July 9th, 2006

The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors’ PHI under certain conditions.

With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person.

Restricting access to minors’ PHI from parents certainly can be tricky, particularly within automated systems that may not have access controls down to the field level.  I just posted a paper, "What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy," on my Realtime-IT Compliance site that provides information about the issues organizations, such as healthcare insurers, healthcare providers and pharmacies, need to address when establishing ways to restrict access to minors’ PHI. 

Technorati Tags






Confidential Info on 100,000 Posted on Navy Website for 6 Months: 2nd Navy Breach Incident in 2 Weeks

July 9th, 2006

Friday (7/7) the Naval Safety Center (NSC) reported personal information on more than 100,000 Navy and Marine Corps aviators and aircrew had been posted on its public Web site for over 6 months.  The data reportedly included Social Security numbers for current active-duty and reserve aviators and aircrew, and potentially every Navy and Marine aviator who has actively served in the past 20 years.

"The same personal information was contained on 1,083 Web-enabled safety program disks mailed to Navy and Marine Corps commands, according to an NSC statement. The center’s Web site has been shut down since July 7."

And yes, they had a similar incident just weeks ago.

"In late June the Navy Personnel Command (NPC) said it had discovered that personal data – including Social Security numbers and birthdates – on 28,000 service members and their family members had been published on a civilian Web site."

Where are the controls over this sensitive information?  If this is simply human error, where is the oversight?  Why isn’t someone checking these sites continuously to ensure nothing inappropriate is getting posted?  What are the policies and procedures in place to protect this type of information?  ARE there policies and procedures in place?

Hackers don’t need to break into most networks to get confidential information; they can just keep an eye on websites for whenever the information is posted.

The Navy, and probably every other government agency, needs to do a privacy impact assessment (PIA) to find where their other privacy breach risks exist, and they need to ensure security and privacy are built into their SDLC process to help keep this type of incident from happening.  And, of course, it definitely appears that their information security and privacy awareness and training efforts could be beefed up.

And yes, government agencies ARE required to do annual PIAs…but are they being done effectively?  It seems a lot is getting overlooked based upon the ongoing security breaches.

Technorati Tags







Managing the Impact of Privacy on Business

July 8th, 2006

Privacy and trust are essential to maintain good relationships with customers, employees and business partners, as well as to comply with the growing number of privacy regulations worldwide. Addressing privacy touches all facets of an organization, including business operations, websites and services, back-end systems and databases, communications with third parties, customers and service providers, and legacy systems.

Over the past three years I have been delivering a 2-day workshop I created that addresses these issues, along with explaining practical steps for structuring an effective privacy governance program based on a privacy impact assessment.  I update the workshop each time I give it (approximately twice a year) to ensure all the latest privacy and related information security challenges are addressed.

I will next be giving the workshop in San Francisco on July 20 & 21.  For more information click here.  To save $100, enter the priority code SAN06 in the registration form.

I really enjoy giving this class and working with the participants on how to address their privacy governance challenges.  If you have the chance please join us!

Technorati Tags




Dept of Health and Human Services Makes HIPAA Tool Available

July 6th, 2006

Yesterday the U.S. Department of Health and Human Services (HHS) published "HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool."  The flow chart that is part of the tool should be particularly helpful for healthcare providers.

Technorati Tags






SMB Security Made MADDENING!!!! Security Vendors; Please Get Some Customer Service Skills!!

July 5th, 2006

Today was the culmination (at least I hope there is no more of this to deal with) of over two weeks of dealing with notebook computer hell…created through a combination of wireless woes (I just got wireless in May, but after a computer crash it was not been working correctly) and computer woes (got the "old" computer fixed to use as a backup and bought a new one…a LEMON…which I just exchanged for a brand new one out of the box this morning). 

I was elated with how well my new computer was running today…so fast…so quietly…so good I did a happy dance with my sons.  All was well…Internet access…email service…until…I installed Norton Internet Security Center and viola…I could no longer send or receive email, even after many Norton setting changes…I could no longer get to some Internet sites, or some sites just loaded the HTML code, even after many Norton setting changes. 

Okay, fine, I’ll disable Norton.  Gee, did that help?  *NO*!!!  Well, then I’ll uninstall it…gee did that help?  *NO*!!!!  According to both my ISP and my hardware/software support service the error codes I was receiving on Outlook indicated that it was Norton still interfering with my computer’s communications with the outside world.  Apparently once Norton is installing it just does not want to go away.  Hmm…doesn’t that make it a type of malicious code itself?

Without going into minute details, suffice it to say that one of the MANY actions I took was calling Symantec’s "SUPPORT" line, and I found myself in a automated phone response nightmare.  What really ticked me off was that the Symantec computer voice indicated that I should get a priority number to be able to be helped most quickly.  It then rattled off the URL so quickly I had to listen to it 3 times to get the URL correct.  But, guess what?  *I COULD NOT GET OUT TO THE INTERNET TO GET THE D*MN PRIORITY CODE BECAUSE OF WHAT THEIR SOFTWARE DID!!!* 

Okay, fine, then I called them back…and after another 45 – 60 minutes of being the virtual silver ball in the Symantec customer support pinball phone system, I hung up.  I have never experienced such poor customer service…not even getting a real human…ever before.

AAAAAARRRRRGGGGGGGHHHHHHHHH

There are literally millions of small to medium sized businesses in the U.S….including sole proprietors such as myself.  Most do not have dedicated tech personnel on staff…we are OUR OWN tech support.  We spend enough time doing our own daily tech support activities without being pushed through a maze of "press number 1" for this and "number 2" for that when we need some technical support for huge problems a vendor’s software causes, making us spend inordinate and valuable amounts of our business time trying to figure out and fix the mess their software…bundled in with my computer and which launched itself automatically…causes.

Okay…thanks for letting me vent.  I also found out today that there *ARE* some vendors with very good customer service skills.  From my own experience today, I am very happy with CompUSA (at least the folks in the Clive, Iowa store), and I’m very thankful for being able to use and connect quickly with their software support partner, Dial-A-Tech, who helped me to finally get rid of all the claws Norton left imbedded in my system…I think I am finally working okay.

And yes, I have installed a different security package…I’ll not comment about it until I see how well it works for at least a week or two.

The lessons of this tale (besides allowing me to vent)?

  1. Vendors need to make sure their software doesn’t screw up a computer to an unusable state.  Yes, I know this is nothing new…but it is still worth beating the drum about.
  2. Vendors, particularly software vendors, and very critically security software vendors, need to establish GOOD customer service capabilities!  It would be nice if they had GREAT customer service…but you know, I’m starkly realistic right now, and I think just asking for good would be a huge improvement.
  3. Small and medium sized businesses often have no dedicated tech staff have to deal with all these tech problems themselves.  If security vendors continue to allow their products to screw up the ability for the businesses to function, most will likely not install security software.  I wrote about data breaches in small businesses in this blog in March; the use of security software would likely increase if less buggy, overzealously agressive and downright disruptive security software were not so heavily marketed and forced upon the businesses purchasing their computing equipment. 

I think my ordeal is not unique.  There are probably thousands of small and medium sized businesses losing days of work and income while trying to address the technical problems caused by security software that does not work like it should.  Security vendors, if you really want to help improve security, improve your security products and improve your customer service.

Technorati Tags