Archive for July, 2006

Information Security & Privacy in a Digital World

Tuesday, July 18th, 2006

CNN published an interesting report today by Peggy Mihelich, "Price of virtual living: Patience, privacy."  It contains many interesting and thought-provoking statistics and other info, many of which impact information security and privacy directly or indirectly.

When was the last time you walked through a public area, such as a grocery store, airport, and so on, and did NOT see someone using or posessing some type of technology device, such as a cell phone, blackberry, or digital camera?  How many of these devices on the street contain business information along with the device-user’s own assorted types of information?

I found the loss of patience associated with technology discussion interesting.

"Time in the virtual world takes us away from time spent in the real world. Though studies are inconclusive and ongoing, some psychologists warn that too much virtual exposure can undercut face-to-face interaction, lead to depression and isolation, and erode our patience. "We don’t have the tolerance any more to wait," Rosen said. "Listening to people talk slowly or talk, period — we just can’t tolerate it."  A recent Associated Press poll found that Americans start to feel impatient after 5 minutes on hold on the phone or 15 minutes in line.  Technology has brought us to a world where we have to have it when we want it, and we want to have it all simultaneously.""

Well, I’ve always gotten perturbed if I’m kept on hold for more than 5 minutes (actually less) when calling a company.  This has more to do with good customer service than with technology, however.  I also have never waited more than 10 or 15 minutes in line, such as waiting to be seated in a restaurant.  I don’t care how good the food is, I’ve always felt more than 10 minutes of doing nothing but sitting in an overcrowded bar just to be seated is wasting way too much time I could be spending doing something productive.

However, this loss of patience issue is something to keep in mind when addressing customer questions about their PII, your company’s privacy and security practices, and so on.  Be prepared for how you handle these questions ahead of time, and don’t give them the run-around.  Remember, everyone tends to be impatient.

The impatience issue is also something to keep in mind when you are creating your information security and privacy training and awareness materials.  Get to your point clearly and succinctly…don’t make your audience impatient and lose their attention with a lot of unnecessary information, or by using delivery methods that take up more of their time than is really necessary.

"E-mail lets us send a quick response, and IM lets us carry on a real-time conversation with someone halfway around the world – a great and inexpensive convenience, but a behind-the-screen form of communication."

Email and IM brings along with them their own unique and significant information security and privacy concerns…something to explore in another post or paper…

"A Federal Trade Commission survey found that from 1999 to 2003 more than 27 million Americans were victims of identity theft, costing them and businesses more than $50 billion. Personal data used to be protected by "practical obscurity," meaning that public records existed on paper or in isolated databases in courthouses and government offices. The information was legally within reach, but accessing it usually took hours or days and a lot of leg work.  But that’s changing, Steinhardt said. Communication, transaction and other public and private records have moved online, and they can be pulled together in minutes to create a picture of our lives.  Typing someone’s name into a search engine or online phone directory can reveal where they live. Going to their local government Web site can reveal how much their house is worth – and how much they pay in property taxes. Checking another Web site can reveal how much they contributed to political campaigns."

There are still too many people…too many business executives, leaders and decision-makers…who believe that obscurity is a form of security.  The abundance of electronic PII stored in so many different places puts the PII at risk…and truly does create ways to tell much more about people than just one or a few of the PII items alone could provide.

Technology is great…it is a very powerful business tool.  "With great power comes great responsibility."  Yes, I’m a Spiderman fan.  🙂  However, this statement is very true with regard to the power businesses wield over the PII they possess.

Isn’t it amazing to consider that just a little over a decade ago emails were primarily shared within organizations, through mainframe-based systems…now most businesses would be lost without the ability to communicate with all their business associates and customers via email.  Cellphones have virtually replaced the pagers.  It will be very interesting to see what types of technology dependencies will be created for business in the coming few years.  I’m sure most, if not all, will have significant information security and privacy issues.

Technorati Tags

Insider Threat Example: FBI Computer Consultant Hacked Director’s Passwords

Monday, July 17th, 2006

On Friday, 7/14/06, Silicon Valley reported:

"An FBI computer consultant who pleaded guilty to hacking the secret passwords of Director Robert Mueller and others will not serve any time in prison, a federal judge has ruled. Joseph Thomas Colon of Springfield, Ill., was sentenced Thursday by U.S. District Judge Richard Leon to six months of home detention and ordered to pay $20,000 in restitution to the FBI.

Colon pleaded guilty in March to four misdemeanor counts of intentionally exceeding his authorized computer access. He faced up to 18 months in prison after he acknowledged using two computer programs available for free on the Internet to extract the information and decode the passwords of Mueller and others.  Prosecutors do not believe Colon was trying to damage national security or use the information for financial gain. But the FBI said it was forced to take significant steps to make sure there was no harm from Colon’s actions.

“Joseph T. Colon was granted a substantial level of trust. He betrayed that trust,” FBI assistant director Charles S. Phalen Jr. said. “Once we identified the breach of security, we took quick and appropriate action to neutralize its impact.” Colon had said he was given a password to the FBI’s secret computer system to speed work he was hired to perform in the FBI’s Springfield office."

This points out that an insider is not always an employee.  It is anyone who has access within your facilities or to your network or computer systems.  In this case a contracted consultant. 

It would be interesting to know how they arrived at the $20,000 restitution amount.

This is a good example of an insider threat incident to add to your files and use in your awareness and training messages.

Technorati Tags

Despite Choicepoint Spin There Are Still Many Informtion Security and Privacy Concerns

Sunday, July 16th, 2006

There was a very interesting read in ConsumerAffairs today, "ChoicePoint Gets a Makeover."

The story reinforces once again the need to have a good security program in place with good controls and a well communicated comprehensive information security awareness and training program.  If the controls and awareness had been in place would this fraud have occurred?  We’ll never know for sure, but the chances would have been much smaller that this incident would have occurred…knowledge and controls could have blocked the criminals from instigating their fraud.

However, lack of controls and awareness aside, the gargantuan amount of personal information Choicepoint controls is very scary…especially considering how the use of it to make decisions impacts virtually everyone in the U.S. and significant others outside the states.

It would have been good to have gotten some statistics about ChoicePoint in this story…how many people’s records do they have in their systems?  In how many places are these records located?  How do they successfully and completely change errors within the records?  What specific types of information do they have?  I have a feeling the answer to that would be a very, very long and disconcerting list.  With how many other organizations do they share their data?  Do they send information corrections to all these other organizations when they correct their own errors?  I could go on…but you get the picture….

Some information about Choicepoint from their site:

  • They have around 5,500 employees in 60 locations (Is all our personal data also as scattered?  Are any of these locations outside the U.S.?  Within any outsourced entities?)
  • Their 2005 Annual Report is interesting (A lot of spin….A LOT.)  A few excerpts:
    • "For the first time ever, revenues exceeded one billion dollars, at $1.06 billion, a 15 percent increase over 2004."
    • "Last year, we helped more than 100 million Americans obtain fairly-priced home and auto insurance."

So they have information on at least 100 million Americans then?

    • "As of December 31, 2005, the Company recorded a charge of $8.0 million for the FTC settlement that represents the $10.0 million civil penalty, the $5.0 million fund of consumer redress initiatives, a $4.0 million charge for additional obligations under the order offset by $11.0 million anticipated recovery of these fees from the Company’s insurance carrier."

Interesting…so of the $19 million penalty, Choicepoint only had $8 million come out of their pockets…the other $11 million was covered by their insurance provider…gee, wonder if that is something that will impact their insurance score and bump up their premium…speaking of which…

This story caught my eye for another reason because I’ve been interested in the impact and type of insurance scores Choicepoint generates and how they impact consumers’ costs for insurance.  To see a list of all the variables that go into creating your insurance score see Choicepoint’s ChoiceTrust site.  There are 156 different types of situations/events listed that can impact your insurance costs…making them go higher…and some of them will be surprising to a large segment of the population.

It’s truly amazing the power and impact these huge data brokers have, Choicepoint in particular, and the huge amount of personal information…some of it inaccurate but propogated…about literally 100’s of millions of people.

Technorati Tags

What IT Leaders Need to Know About Using Production Data for Testing

Friday, July 14th, 2006

There are many issues involved with using live production data, particularly real personally identifiable information (PII), for test and demo purposes.  For many years it has been the norm within organizations to use copies of production data for testing during applications and systems development.  However, over the past few years this practice is becoming more and more of a bad idea with all the new privacy laws and regulations, identity theft cases, insider instigated fraud, increased customer awareness, and the growing number of companies using outsourced companies to manage applications development, testing and quality assurance. 

In my latest podcast I discuss the importance of and reasons for using data that does not include real, production PII for test and development purposes.

MP3: Rebecca Herold – What IT Leaders Need to Know About Using Production Data for Testing

Free Security Awareness Posters from the U.S. Government

Thursday, July 13th, 2006

Earlier this week the FBI and Department of Homeland Security in partnership made available free posters, "PROTECT YOUR WORKPLACE: What You Need To Know"

The press release about this:

"What if we told you there’s a way you can improve security at your workplace‚Ķtoday? That it’s fast, easy, and completely free? And that it will not only enhance your personal safety on the job‚Ķbut also help ensure the financial health of your organization?

It’s all true‚Äîthanks to a new ‚ÄúProtect Your Workplace‚Äù campaign launched by the Department of Homeland Security and the FBI.

Specifically, we’ve teamed up to produce a series of posters with practical suggestions for protecting your workplaces from both physical and cyber threats—everything from robberies and break-ins…to computer intrusions and corporate espionage…to identity theft and intellectual property violations…to even potential terrorist attacks.

By hanging these posters in common, highly-trafficked areas, you can raise security awareness and help prevent and reduce crime and terrorism in and around your place of work‚Äîwhether it’s a business, a non-profit, or a government agency.

The four posters, which are being distributed electronically to workplaces across the nation, cover the following topics:

  • Protect Your Workplace: Physical Security Guidelines, including monitoring who enters your workplace, reporting broken windows and locks, making back-ups of sensitive and critical information, and reporting suspicious activity and packages.
  • Protect Your Workplace: Cyber Security Guidelines for both employees and managers/IT Departments, such as managing passwords, establishing clear policies and procedures, implementing a layered defense strategy, and monitoring and logging successful or failed intrusions into your networks.
  • Report Suspicious Cyber Incidents, including suspicious e-mails and questions, system failures, and unauthorized access or use.
  • Report Suspicious Behavior and Activity, such as surveillance, suspicious persons, dry runs, tests of security, and improper attempts to get supplies.

We’ve also created a brochure that combines all the information on the four posters into a tri-fold that can be kept at your desk and shared with colleagues, family, and friends.

So how can you get the posters and brochure? It’s easy! Just click on the graphics above to download each of the posters. You can also download the brochure and all of the materials as a series at

So take our advice‚Äîplease. Security is everyone’s responsibility. Do your part to prevent crime and terrorism and to protect your organizations by putting up these posters at work today‚Ķand telling your friends and associates to do the same."

You don’t have to provide any information to download the PDFs, so if you are not comfortable providing your contact information to obtain the printed posters and you have the tools to print off the PDFs, download them! 

Many organizations are strapped for awareness and training budget dollars.  If your budget is strained, you might as well take advantage of the awareness materials the U.S. tax dollars pay for.

Technorati Tags

Chief Privacy Officer Named for the U.S. Department of Commerce Today

Thursday, July 13th, 2006

Government Technology today reported Robert C. Cresanti was appointed CPO along with his other current responsibilities as under secretary for technology.  I could not find an announcement about this on the Dept of Commerce site, however; I was hoping to get more info than provided within the report.

It is good they are appointing a CPO.  However, U.S. federal privacy and data protection governance would benefit from one CPO over the entire government; basically adding a cabinet position.  Then this position could coordinate privacy and data protection activities through CPOs assigned to each of the government agencies.  This similar type of system seems to work well for Canada

The scattered and uncoordinated data protection and privacy approach currently taken does not result in consistent regulatory enforcement or unified federal laws.  Some agencies have rigorous privacy enforcement activities while there seem to be none within other agencies.

Technorati Tags

The Insecurity of Mobile Computing

Thursday, July 13th, 2006

Network World today (7/12) published "Mobile users face knotty security issues." 

There are some good points and information contained within.  Many are information security basics that good information security professionals already know, that information security must be implemented in depth and in layers, as transparent to the end-user as possible, to be effective.  It’s good to reiterate these messages to the IT folks who tend to read these publications. 

Too many times it seems folks outside the information security and privacy area think that security is addressed through just one action or tool…we need to raise the awareness of IT and business leaders so they understand that information security is achieved through a combination of many processes, plans, tools and activities…not just through a firewall or just by using anti-virus software.

"…secure mobile computing is a complex business."

Indeed!!  So many incidents occur…daily…involving mobile computing and storage devices.  Most are not reported to the public.  Most involve huge amounts of data.  Putting mobile computing devices and storage in the hands of your end-users is kinda like leaving your 6-month-old baby under the total care and oversight of your 7-year-old neighbor…some will be pretty responsible, but most will soon forget about the security and safety of that precious and valuable bundle you’ve entrusted to them; their attention spans are short and their awareness of the security issues is likely very low.

I personally love USB micro storage devices; they are so much handier to use than CDs.  Plus, some of the devices are very cool, too…I love the Swissbit USB tool.  However, the small small size and large storage capacities (I’m looking at some really small 2GB storage units right now) of these many different USB devices scare me.  How many workers are putting confidential company data onto these devices?  How many organizations know their workers are doing this?  How many of these are lost?  How many actually encrypt the data stored on these devices?  How many visitors to your facilities use these to take information out with no one the wiser?

USB storage is just one of the many complex issues to tackle with mobile computing.  There are so many more.

Technorati Tags

Another Government Computer Security Incident: Hackers Break Into the U.S. State Dept. Computers

Tuesday, July 11th, 2006

An interesting story just appeared on CNN, "Hackers target State Dept. computers."  Some of the more interesting excerpts from the story:

"Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."

The break-ins were reportedly discovered in mid-June.  It would be interesting to know how the hackers implanted backdoors into the computers.  Perhaps the admin and supervisor passwords were some of those stolen?  Were the passwords clear text files?  Or, were they poorly constructed so that they allowed a password cracker to gather them?  Sounds like at least two-factor authentication would be a good idea for all government computer systems, doesn’t it?

""The department did detect anomalies in network traffic, and we thought it prudent to ensure our system’s integrity," department spokesman Kurtis Cooper said. Asked what information was stolen by the hackers, Cooper said, "Because the investigation is continuing, I don’t think we even know.""

Well, it is refreshing to finally have a representative of an organization that has experienced an incident honestly report that he doesn’t know what was taken or compromised.

"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet."

"Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on. Cooper said the department has since fixed that problem."

I find the disabling of SSL interesting…wonder what type of protection they implemented as a compensating control?

Technorati Tags

Security and Privacy Contract Clause Considerations

Monday, July 10th, 2006

When you entrust business partners and vendors with your company’s confidential data, you are also entrusting them with all control of security measures for your organization’s data. That trust cannot be blind. Many recent privacy and security incidents have resulted from inadequate privacy and/or security practices within outsourced organizations handling another company’s customer or employee data. 

Christopher Grillo and I discuss this topic at length in our two-day information security and privacy workshop.  I just posted a paper, "Security and Privacy Contract Clause Considerations," to my Realtime IT Compliance site.  This paper covers the issues we discuss in addition to a table we created for our workshop that lists the types of information security and privacy requirements that organizations should consider including within contracts with third parties.  The table has been very helpful for organizations addressing outsourcing and partnering security and privacy issues, so we are making it available in the hope it will also be helpful to you.

Technorati Tags

What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy

Sunday, July 9th, 2006

The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors’ PHI under certain conditions.

With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person.

Restricting access to minors’ PHI from parents certainly can be tricky, particularly within automated systems that may not have access controls down to the field level.  I just posted a paper, "What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy," on my Realtime-IT Compliance site that provides information about the issues organizations, such as healthcare insurers, healthcare providers and pharmacies, need to address when establishing ways to restrict access to minors’ PHI. 

Technorati Tags