The Privacy Pundit - Privacy & Security in the Real World

The Most Egregious (and refreshingly honest) Privacy Policy You May Ever Read

2012-01-25T15:17:00.002-05:00

This is an actual Privacy Policy excerpted in in all of its full glory from the website, http://skipity.com, a Google-like search engine.

If nothing else, this policy should win an award for its 'emperor has no clothes' approach to privacy (or a lack thereof).

I would ask "How much worse is this approach of pure and unadulterated honesty in advertising, versus the usual unfair and deceptive practices we have seen with some of the most sophisticated and privacy savvy web companies in the world? Read on and enjoy...

Sua sponte: Hereto within, both for consideration and exemplification in abeyance subject to adjudication pro se and terms whereto superseding justifies the underscore until res judicata thuslyrelieving ALL satisfactions. All parties hereby agree to wit habeas corpus.

We firmly believe that privacy both inconsequential and unimportant to you. If it were not, you probably would not have a Facebook, Twitter, or LinkedIn account: and you certainly wouldn't ever use a search engine like Google. If you're one of those tin-foil-hat wearing crazies that actually cares about privacy: stop using our services and get a life.

We agree with Mark Zuckerberg when he pithily opined "The age of Privacy is Over."

Our privacy policy is a reflection of this conviction. Therefore, to satisfy the absurd privacy requirements of various legal entities (and so you understand exactly where you stand with us) we are pleased to present our privacy policy:

1. We are the company that cares about your privacy. Specifically, while most other companies are concerned with protecting your privacy, we care about profiteering and violating it when expedient or useful.

2. You may think of using any of our programs or services as the privacy equivalent of living in a webcam fitted glass house under the unblinking eye of Big Brother: you have no privacy with us. If we can use any of your details to legally make a profit, we probably will.

3. We will track and log everything we can about all the dirty (and clean) things you do and like with cookies, GPS, secure connections and or whatever technology exists today or becomes available at any time in the future.

4. By using any of our services, you grant us permission to surgically implant a tracking microchip of our choosing in your body and sell all collected information to the highest bidder . . . and to all other bidders. You also agree to regular updates and reinstalls of said device entirely at our discretion for up to 50 years after the end of your natural life.

5. If the opportunity arises to sell or otherwise use this or any information, data or meta data about you or your world, we will jump at that opportunity like a pitbull on a fresh steak

6. Please email us to tell us some of your secrets. We may, at our sole discretion (or lack thereof), broadcast, reveal, sell, manipulate, or otherwise use these secrets, or any information we collect to our benefit whenever, wherever, and however we choose.

7. We are right now looking at you through your webcam. Do you always move your lips like that when you read? We also recorded what you were doing last week and are sending the video to (you know who). If the prior statements are not true, it's because in addition to everything else, we reserve the right to lie to you, and you agree to believe us and hold us harmless for any and all such lies. Furthermore, if we are not recording everything you're doing through your webcam, it's either because we haven't figured out how, you're just not that interesting, or both.

8. We are serious about all of the above. So don't go trying to sue us later with some nonsense like "I thought that was all satire." All your privacy are belong to us. We mean it.

9. Cookies: We like chocolate chip cookies. You agree to furnish any employee or associate of our company with fresh chocolate chip cookies upon request. That's the price of using our programs and or services (in addition to any other price we come up with).

10. Spam. You agree that nothing we do with the access and information you grant to us shall be called Spam: even if it is. We prefer the term "bacon", because . .. mmmmmmmm bacon.

Thats' it! So Go Ahead and try Skipity:
skipity

My 12 Privacy Resolutions for 2012

2012-01-05T15:27:00.001-05:00

1. Unsubscribe from all e-mails andnewsletters you don't read, never read anymore or never actively signed up for.Your e-mail address is just going to be sold to other marketers or mailinglists anyway so start to cut down on the clutter.

2. Update and strengthen yourpasswords that you use for critical, financial and other data heavy websites.

3. Stop updating everyone on yourlocation via smartphone apps. No one really cares and you're just lettingthieves know you are not home so they can rob you.

4. When putting mail in the mailboxfor the Postman to pick up, don't lift the flag to indicate that there is mailin the box. The mailman will find it anyway. Leaving the flag up tells IDthieves that you have some mail that may contain some interesting personaldata.

5. Pay all of your bills online.C'mon, it's 2012.

6. Stop using your debit card tomake online or offline purchases, or buy gas; use a credit card only. Using adebit card gives a thief direct access to your checking account, making itdifficult to prove fraud, and preventing you from taking advantage of consumerprotection laws that most credit cards offer.

7. Do an exhaustive Google search onyour self to see what information is out there so you can see what theblogosphere is saying about you, if anything.

8. Make sure the "Do nottrack" option is checked in your browser's setting.

9. If you haven't already, start tointegrate the concept of 'privacy by design' into your business and/or ITdevelopment processes; don't try bolting it on once the process or applicationis complete and ready to be rolled out.

10. Formalize and publicize a socialmedia policy within your company so everyone knows what the rules are.

11. Formalize and publicize yourposition on consumerized IT within your company, again, so everyone knows whatthe rules are.

12. Finally realize that there is nosuch thing as 'free' on the internet. No free iPads or dinner coupons toCheesecake factory, or trips to Disney World. Stop clicking on those offers oraccepting the links on Facebook. And no, you are not really the 1,000,000thvisitor(!!!) to a site and have not really won anything. Pass it on.

'Security Through Obscurity' shows lack of maturity

2011-12-30T14:18:00.001-05:00

My last post for 2011 will be about a favorite and commontopic amongst security professionals: the art and technique of ‘securitythrough obscurity.’ Anyone andeveryone in the privacy and security fields knows about this and I am sure that95% of the readers have knowingly used this approach to protect data and otherassets (the other 5% are probably lying).

Simply put, the ‘security through obscurity’ control, if you will, is making someweakness so discreet, subtle or inconspicuous that you are hoping that a useror bad guys does not find the loophole or back door, intentionally or otherwise.I am not talking here about unanticipated ways to defeat your explicit andobvious controls that the developers or programmers could have never contemplated;I am talking about the “ignore that man behind the curtain” ones. Exactly theones that little Toto sniffing under a curtain uncovers….Like the empty policecar on the side of the highway. Or like stating that your password complexityrequirements are 9 characters that must consist of 1 lower case letter, 1number, 1 special character and 1 upper case letter. And then not enforcing thepolicy.

I got to thinking about this when I recently thought about aline in a Gnarls Barkley song, “Smiley Faces.” The line was “Was knowing your weakness what made youstrong?” Now I have asserted in the past that a secret is only a secret ifit remains between a minimal amount of people; when the world knows it, itbecomes as useful, and valuable as yesterday’s newspaper. And if you would make(most) private data held by governmental institutions and corporations easilyavailable to any one, acquiring it would mean nothing since it cannot bereadily misused, like it can be today. In the security context, knowing thatthe weakness exists in your application/program/website is the strength youneed to resolve the fault proactively. And in the future, you can build in‘privacy by design’ rather than trying to bolt on security after the fact.Always an ugly outcome, both aesthetically and from a user experience.

My point here is that relying on the ‘security throughobscurity’ approach, to any degree, for information protection shows an overalllack of sophistication and maturity in your security process and program. Irealize that many companies take this approach because it is cheap and fast todeploy – building in proper controls takes time and money. Ultimately, though youwill have two choices when you decide to take a path toward security: you caneither pay now or pay later. You pay now by making the investment in propercoding controls and preventative measures; you pay later when someone finds theweakness/hole in your program, application or website and posts it on YouTubeand then you have re-engineer the code all over again, making double work. Inmy opinion, paying now lays the groundwork in your organization for both arespect for security and privacy considerations as a corporate value, and for adiscipline of doing the right thing right now.

Make a New Year’s resolution then to avoid the temptation ofat least one venial sin this year as you think about your security program andpolicies in 2012– the sin of sloth.

Happy New Year!

Ignoring Risk management is the riskiest act of all

2011-12-11T19:39:00.000-05:00

I always say thateverything comes down to risk management. From whether you fly or drive to yourvacation spot, to whether you have one more beer at the party, to what stocksyou invest in within your 401(K), it all comes down to decisions about risk.Sometimes the decisions are monumental, but mostly they’re insignificant. Mostof the time we can ignore, or accept the risks we take on daily with no impact,other times we see the very real repercussions.

If there were ever aposter child for what happens when you blatantly ignore risk management, itwould have to be Jon Corzine. The formerCEO of MF Global, and former Governorof New Jersey, and former Chairman ofGoldman Sachs – whom you would think would understand essentials of riskmanagement as well as anyone on this planet, apparently routinely ignored thepleadings of his Chief Risk Officer about the tenuous position of the firmsinvestment positions.

Tragically, Mr. Corzine notonly ignored what his Risk Officer was telling him, he undermined him bycomplaining to others in the company about the “dour attitude and persistence”(?!?!) of the Risk Officer.

No surprise that theChief Risk Officer was let go in March of this year.

The act of ignoring riskmanagement as the riskiest possible action is a tautogical overstatement ofmythical proportions. It is truethat America's culture, more than anyother in the world, forgives failure, tolerates risks, and embraces uncertaintyin almost any endeavor. In fact the more brazen the better. Think of the Moonlanding, or Evel Knieval.

Yet what is it about a CEO whoarguable is a brilliant individual, with undeniable talent, insight and an abilityto lead organizations successfully that allowed him to take on risks that werenot commensurate with his company’s, or at least his Chief Risk Officer’s riskappetite? Your CRO and General Counsel should be the two people with whom youget full agreement on every significant decision that you as a CEO makes. Underminingyour CRO about his warnings on your risky behavior is like telling everyoneyour cardiologist is a ‘Debbie Downer’ because he diagnosed you with lungcancer.

I think our general nonchalance,or maybe disdain for risk management in general stems from what we as laypeople interpret as its accessibility. Everyone has heard or has used thequestion “What’s the risk?” Yet how many people really under stand true riskmanagement principles? Inherent risk?Residual risk? Really? Do you knowwhat it means? (Ultimately, I blame Parker Bros. for creating the board game,Risk, which we all played as kids. Now everyone thinks they understand, inaddition to world domination, ‘risk.’)

You rarely hear people throwingthe term “quantum physics” around as cavalierly as we do with the phrase “risk management.”Many of us in the Corporate world think we understand what risk management islike many homeowners think they under electricity or plumbing. Sure, you canchange a faucet out or wire a ceiling fan, but would you as untrained homeownerreally think that it is worth the risk (the word, again) to rewire the circuitpanel that powers your whole house? Most rational individuals don’t think it isworth the tradeoff of saving the $300 it costs to have the electrician come anddo the job right, versus the possibility of burning your own house down. Atough sell to the wife under any circumstances.

Just like I don’t expect mydentist to tell me about best practices in privacy, I don’t pretend I know thebest way to extract a bicuspid either. So, please, begin to give riskmanagement its due as a genuine discipline practiced by professionals who havedifferent and specialized skills that you don’t have. Don Corleone needed aprofessional risk manager (Consigliere, Tom Hayden) and so do you, I’ll bet.Don’t go it alone. It’s not worth the risk.

Ready for its closeup: Privacy in the Board Room

2011-12-03T22:47:00.000-05:00

When (and if) you ever think of or hear the term “Board of Directors”you probably envision of panel of crusty, old-timers sitting around a longboard room table day-dreaming, doodling, or dozing off while a CEO goes throughyet another Death by PowerPoint presentation. If you think those people arethere just to enhance their resume and collect their stipend, think again. It’swhole new world for Board members these days.

The visibility and implied responsibility that Board members have intoday’s business environment is as substantial as it has ever been. No longercan Board members be asleep at the wheel while the CEO and/or the companyexplore every whim or hare-brained idea they want. Starting somewhere aroundthe implosion of Enron back in 2001, investors and other interested observers beganasking in earnest “Where was the Board inall of this?”

As recently as late 2010, the Board of Hewlett-Packard fired CEO MarkHurd in a very public way claiming some impropriety with a female contractorand his expense reports. Even during the most recent scandal at Penn State, themedia began questioning why the college’s Board of Trustee’s did not raise ared flag or call into question the very questionable actions of a rogueassistant coach. So why has this group of people who had forever been seen bymany as rubber stamps now suddenly, andfinally, taking on task of ‘guardians of the corporate reputation’?

The Board of Directors or Trustees acts in trust for the shareholdersand employees of a company or taxpayers and students in the case of a school.They are tasked with ensuring that integrity of action and quality of productis delivered by the institution that they are with which they are engaged. Itis a duty that should not be taken lightly; and appears as though it is takenmore seriously now that ever.

Good thing too. In addition to overseeing their respective institutions,one duty that governing boards must address is the various competing prioritiesof mission, vision, growth and the mundane administrative. One contemporarymatter that will be occupying the board’s agenda more and more is that ofprivacy - privacy of customer’s data, privacy of driver’s location, privacy ofusers preferences, privacy of subscriber’s habits, and on and on.

Privacy must be a board level topic. Why? Because privacy and itsfirst cousin, security, are not just compliance issues anymore; they arebusiness issues. Business issues that deserve a seat at the table just likeinnovation, marketing, sales and design have had for years. A company with acore corporate value of privacy has a distinct competitive advantage over onethat treats its customer’s privacy cavalierly. Witness two of the year’s highestprofile cases of consumer backlash against a company’s apparent disregard ofits customer’s privacy: Google’s covert use of collecting Gmail accounts whenit rolled out its Social Circles product in May this year, and Facebook censureby the FTC for a host of infractions, all centered around their indifference touser’s privacy. Both companies must now submit to privacy audits for the next20 years, said the FTC. Facebook took its act of contrition serious enough togo out and hire not one, but two (!) Privacy Officers in response to the action.

As a practitioner of the art, I take it as my responsibility toadvance and elevate the issue of privacy all day and every day as far up thechain as I can, and provide visibility to current and pending privacy issues tosenior management and ultimately Board if and when they need it. Like so manyother topics this year that got their time in the sun (the Arab Spring, WikiLeaks,Occupy Wall Street, to name a few) it is the right time for another, quieter,more discreet but no less revolutionary movement: to finally bring privacy& security from the back room to the board room.

How to improve privacy? How about we abolish it?

2011-11-04T22:58:00.000-04:00

A true story that sets up my premise: An article in the NewYork Times last week written by a man, Hasan Elahi, an Associate professor atthe University of Maryland – and an American - who was incorrectly identifiedby the FBI as someone associated with terrorists sets up an interestingdiscussion about the value of keeping your private information so private.

The story goes like this: while returning from trip abroad,Mr. Elahi arrived at customs, and was asked to step aside for additional screening.After a significant period of questioning, and unadulterated cooperation by theauthor, the FBI ultimately realized their mistake. In what I interpreted as astick in the eye to the Man, the author soon after began a process ofdocumenting with photographs everyplace he had been, every meal he has eatenevery, every flight he had taken, every call he made, every store he hasvisited and every purchase made there, every toilet he used to let them knowthat he was not up to no good. He began by e-mailing the FBI the photos butthen set up his own web site which now ultimately houses 46,000 images of hisevery movement over the past 6 months. To take it one step further, he hasincluded screen shots of his financial data, phone records and transportationlogs - all cross-referenced with the photos on the site so anyone can verify hewas where he said he was.

Insane? Possibly? Obsessive? Absolutely. But Elahi goes onto say that anyone who has a social media site that they use on any regularbasis does almost the same thing willinglyevery time they post an update, sends a tweet, checks in, pokes someone, etc.whether they realize it or not.

More interestingly though, Elahi states:

“In an era in which everything is archived andtracked, the best way to maintain privacy may be to give it up. Informationagencies operate in an industry that values data. Restricted access toinformation is what makes it valuable. If I cut out the middleman and flood themarket with my information, the intelligence the F.B.I. has on me will be of novalue. Making my private information public devalues the currency of theinformation the intelligence gatherers have collected.”

This is an interesting premise: data about you, the realsensitive type, is only valuable to someone else, say, an identity thief,because it is so private and protected – and by inference, difficult for othersto authenticate because it rarely sees the light of day. It is valuable to others,because it is valuable to you. (How much sleep do you lose knowing your name,address and phone number is in the yellow pages which has almost no value?)

Keeping non-public data private also prevents some legitimatesources from, for example, reliably validating that the person trying to open aBest Buy instant credit card and purchase a 55-inch high-def flat screen TV isindeed you. Imagine if most of the data that you now protect so dearly (socialsecurity number, bank account number, drivers license number) were readilypublic, and easily available through a Google search. The clerk at Best Buywould simply type in your name into a search engine and a number of sourceswould corroborate (with a photo) you and all of your data. No identity thief couldthen be successful without a tremendous amount of effort in trying toimpersonate you – and it wouldn’t be easy or worth it.

Thwarting the misuse of private data via identity theft maybe as easy as making (most) private data held by governmental institutions so easilyavailable to any one so that acquiring it means nothing since it can not bereadily misused, like it can be today. A secret is only a secret when itremains between a minimal amount of people; when the world knows it, it becomesas useful, and valuable as a day-old newspaper.

Now, who wants to go first?

Maximun ROI on security awareness training? Move from awareness to ownership!

2011-10-02T17:10:00.000-04:00

You may be unaware that October is Cybersecurity Awarenessmonth (who knew?), since it is in competition with other major events strivingto highlight their relevance as well. (National Apple month, Eye Safety preventionmonth, Photographer appreciation month, and National Liver Awareness month!)

Like most of theother campaigns celebrated and promoted during October, Cybersecurity Awarenesshopes to promote just that, awareness. Yet, the traditional thinking about employeetraining on issues like security and privacy, confidentiality, etc., has alwaysbeen around the same common premise: awareness. Training your staff amounts tobasically making them 'aware' of the threats, and as rationale human beingsthey would avoid such risky behavior by deeming it not in their best interest.Unfortunately the process of simply conveying the threats and risks of certain behavior,by (usually) transferring the knowledgethat the InfoSec team possesses to average employees, hardly constitutes awareness,at least not in the sense that we expect it to be actionable now on the part ofthe employee.

Though training has been well intentioned over the years,the constant blitz of threats and warnings by security experts have only, inmy opinion, desensitized the averageuser to the real risks. Think about the old five color-coded threat warningsystem that Homeland Security wisely abandoned in April of this year. We hadthe threat level at 'High' (orange) or "Elevated' (yellow) all but once(and for only 14 days), in the entire nineyears that the system was in place. During the 17 times it was raised andlowered back and forth between Orange and Yellow, do you recall ever changingyour behavior commensurate with the risk rating? No. Why? Because though youmay have absorbed the information IFyou happened to be taking a flight during the color change, you assumed thatthe job of spotting and preventing terroristic activities was largely someone else's.The act of conveying awareness never reached an inflection point. And, again inmy opinion, the really effective and efficient way to derive value in yourtraining & awareness campaigns is to move from awareness to ownership.

Consider these two analogies that drive home my point ofmaking ownership of the privacy & security duty to that for all employeesand not just the InfoSec team and Privacy Officer. RSA, the eminent security company,was hacked earlier this year by an attacker who may have made off with the crownjewels of the company; an event comparable to Coca-Cola losing its secretformula to a thief. How did it happen? A hacker sent emails to two small groupsof employees that included an attachment titled "2011 Recruitment Plan."One employee opened the attachment and inadvertently introduced a virus inside theRSA network which ultimately gave the hacker access to the most sensitive andvalued data on the company. And in doing so, enabled later attacks againstRSA's customers. Now I am positive that RSA employees have been instructed tothe nth degree not to open attachments from people that they don't know, click onlinks to suspicious web sites, yada yada yada...But apparently this oneemployee (all it took), must have thought that "security was someoneelse's job", and "that's why we have anti-virus running on all ourmachines", and.....you get the idea.

Secondly, consider the act of littering. When you throwtrash out of the window on an interstate highway, you rarely consider theimplications to you or your immediate surroundings. The effect, if any, on yourconscious is fleeting; you keep moving farther away, literally, from the momentand any sense of ownership of the problem or a resolution. ("They haveprisoners clean that trash up, don't they ?") However, if you live ina small neighborhood, gated community, enclave, or live in a development with associationfees, you suddenly feel the pain of trash and debris more acutely as it encroacheson your residential utopia. Your 'awareness' of the effect of trash in yourneighborhood quickly descends into 'ownership' of the problem since you are investedin the outcome more than you are in, say, a clean highway somewhere five statesover. Soon you find yourself yelling at neighborhood kids to pick up afterthemselves...

Like technology itself, hackers and other bad guys have evolvedas well. Firewalls and networks have improved to the point of diminishingreturns in spending on those devices; the outer defense of the company has beenreinforced enough that it is almost impossible to incrementally improvesecurity from, say, adding another moat around the building. The real long-term,sustainable improvement is via the employee. Humans are long known to be the weakest linkin the security chain, and the situation can only be improved through cognizantand mindful behavioral changes. Only through the evolution of the awareness of the problem to ownership of the solution can we evenbegin to seriously make advancements in the holistic process of teaching employeesright from wrong. We may never eliminate litter as a scourge, but we can getthem to discover why they, as our employees, should not contribute to it, andmake our company's stretch of highway the cleanest on the Interstate.

9/11 and What We Learned

2011-09-11T18:08:00.001-04:00

Despite the unparalleled carnage and inestimable impact onour national economy and psyche, there were a few worthwhile byproducts of9/11.

First among them was the realization of what America’sreputation and standing was in the Middle East and the rest of the world in thefew days and weeks after the attack. (Why do they hate us?) As is the case withmost tragedies, it becomes quickly evident who your friends are and aren’t.Every once in a while it helps to take stock of your allies and know where you standwith everyone else.

Instantly after 9/11, the boon to privacy and securityprofessionals become evident, especially business continuity and disasterrecovery practitioners. Suddenly, the departments and disciplines that werehidden deep in the bowels of the IT department, that used to be thought of onlyas cost centers and road blocks to getting access to fun web sites at work, nowbecame the rising stars of the organization. Every CEO and Board of Directors nowwanted to know what their company’s plan was if they were to be attacked orlose a data center. How would they stay online? How would they recover servicesafter a terrorist attack? Could they?

The most interesting dividend to arise from 9/11, in myopinion, however, was, the suspension of disbelief in the ‘anything ispossible’ scenario. On September 10^th 2001 you could not have acredible conversation with anyone whom you tried to convince that you needed toplan for a scenario where a plane might crash into your building or data centeraffecting your ability to continue your business. With good reason, before 9/11no one really thought this would ever happen. Historically, when a plane washijacked, you waited until the hijackers asked that the plane be taken toHavana or Cairo or wherever, and then landed, and then began negotiation with them.No precedent had prepared anyone for the possibility of the hijackers actuallytaking their own lives in the hijacking. What would that accomplish? How didthat advance their interests if they were dead?

Now of course, the approach is much different. Nopossibility is impossible. No scenario is too far-fetched too imagine or planfor. When I talk to service providers about how they will maintain continuityof business to my company in the event of a disaster, I expect to hear them talkabout what they’ll do in the event of everything from a earth quake, hurricane,tsunami, water spout, flash flood, lightening strike, terrorist attack and evena zombie uprising. (Hey, you never know!)

So are we any better off now after 10 years of diligence and‘saying something if we see something’? Are we safe? Are we safer? Has our alertness kept us out ofharm's way from any additional attacks on our soil, or was it just that one smallgroup of lunatics just got lucky while we naturally had our guard down? Americahas habitually talked itself into one counterfeit panic after another (anyoneremember killer bees from South America, SARS, bird flu, or mad cow disease?).The threat from terrorism is unfortunately not one of those red herrings; it isreal and it is probably here to stay. Though every tragedy on any scale isregrettable and lamentable, we can always find a lesson or two that comes fromit. At least we can find somethingthat we can possibly benefit from or a lesson to be learned that may not haveever been probable or foreseeable.

Bite the Apple. Just be sure it isn't wax

2011-07-25T22:02:00.000-04:00

Though the debt ceiling fiasco may be hogging the headlines today, there was one little story that may have been only an esoteric IT-related ditty, but it is worth retelling here.

If you have ever bought a Louis Vuitton knockoff on the street corner of a big city, or bought a fake Rolex on Craigslist, you usually know it to be the case in advance. Your expectations are muted. The quality of the product, and the cost of the item relative to a real article are always a concession you make for the low price of admission to faux-luxury.

Now, imagine you are in an Inception-like shopping scenario where the products you see for sale on the shelves and wall are indeed genuine, but nothing else around you is. In a little town in China, Kunming, there is apparently an Apple store just like the ones we have here in the U.S., complete with blue shirted staff members, high ceilings and IKEA-like pine woodwork throughout the place. The problem is, Apple has not opened a store in this city yet. What has occurred, actually, is that an entire Apple store, from floor to ceiling has literally been faked. Though the inventory of Apple products for sale in this store is ostensibly real; even the staff thought that they were really working for Apple! (Reselling Apple merchandise is not a crime, even in the U.S.).

What I find most interesting and relevant to security about this news item is that the level of sophistication of this fraud is, frankly, almost admirable. If you are an American and used to visiting Apple stores, even you may have been challenged to realize that this store is not what it appears. (One sign on the window that said “Apple Stoer” might have given it away for you English majors.) Only now, that this story has become worldwide news, has the Chinese authorities stepped in to shut down the phony establishment.

But say you had only a smattering of English understanding, only knew the Apple brand by the iconic white apple logo, or never really pay attention to detail, you would be hard-pressed in deciphering that this place was bogus. My point here is that if we can barely detect a full-blown store front with all the trappings as being fake, how can your average internet user be expected to know when to not click or an e-mail or go to an unfamiliar and dangerous website? If people can be easily deluded by a ruse such as the re-creation of an entire store, who among us can be sure that we’d never be so stupid as to input our credit card number or social security number in a elaborate and almost perfectly-crafted website that looks exactly like the bank website we’re used to seeing every time we bank online? Unless you know what you are looking for, you can’t.

We all know people who are afraid to bank online or engage in e-commerce for fear of being bamboozled by bogus phishing sites. Imagine some one in the Chinese town of Kunming saying something to the effect of “I’m afraid to buy a MacBook Air online, so I just go down to my local Apple store and buy it in person. That way I’ll be safe!”

Though the owner of the doppelganger Apple store may not have necessarily had deception as his primary motive as he was deceiving everyone from his landlord to his blue-shirted Genius bar staff members, the incident itself is telling on many levels. Chief among my points here is that fraud is occurring on such an increasingly sophisticated level, that it is almost incomprehensible to ponder how the good guys can begin to catch up, let alone wholesale stop it. If someone will go to such lengths and efforts to recreate the bricks and mortars of an entire store in almost every dimension in the real world, imagine what chicanery is already happening in the online world, and worse, what the future holds for us! If not for the second-rate sign painter who didn’t have spell check available when he was painting “Apple Stoer,” we would never have been talking about this. It reminds me of the greatest line in the movie ‘The Usual Suspects:’ The greatest trick the Devil ever pulled was convincing the world he didn't exist.

Corollary Risks & Unintended Consequences

2011-06-05T16:42:00.000-04:00

The global nuclear watchdog agency, the IAEA, said last week that the Japanese government was remiss in their risk assessment duties by not failing to fully anticipate what dangers a giant tsunami might pose to a nuclear reactor in that country. In fact the head of the IAEA, Michael Weightman, actually said that he could not understand how a country that has excelled in the prediction of earthquakes could have failed so spectacularly in predicting a giant tsunami. He went on to say that "Perhaps, their methodologies or data didn't allow them to predict that this size of tsunami could occur."

Huh?

I am under the impression, and operate as such, that in the aftermath of 9/11's lesson, no risk scenario is too remote or unlikely to reasonably plan for and reasonably anticipate. How is possible that Tokyo could not or did not fail to see the corollary between a large earthquake - which Japan undergoes with regular frequency - and the quite likely consequence of a tsunami. Japan is, after all, an island nation that is surrounded by water, so tsunamis would be one of the most likely threats to consider planning for. The city of Topeka, Kansas can be excused for not having a tsunami response plan, but not any city in Japan.

If you plan a beer garden event, you better have a corollary plan to address the risks of full bladders; if you plan a vacation to London, you better plan for rain; and if you plan to buy a Bugatti Veyron Super Sport ($2.7 million), a car that has 16 cylinders, has 1001 horsepower and gets only 8 miles to the gallon in the city, you had better be prepared for the consequences of higher fuel bills, higher car insurance and significantly less disposable income for other luxuries (Four new wheels and tires $50,000; Annual routine maintenance $20,000).

With the Bugatti's top speed at about 253 miles per hour, need we even broach the subject of the increased risk of dying in a crash?

For Privacy & Security, when Technology and Intelligence compete...it's no contest

2011-05-04T10:44:00.001-04:00

With the recent news of the capture and death of Osama Bin laden, one thing was evident and overwhelmingly clear: our brilliant and sophisticated technological superiority notwithstanding, at the end of the day it was pure, simple human intelligence that produced the dramatic results.

Take away: though technophiles like me love to layer on security tools and controls to maintain data and privacy security throughout the organization, it is the simple sentence and/or concept that hits home to the end user employee who sits on the frontline of the trench warfare between customer confidence and blaring headlines that it is he and she who really determine our long-term success.

Being able to translate the importance and criticality of security being 'everyone's job' (and not just InfoSec's) within the company, is the single most valuable ROI of security & privacy awareness a company can realize. Forget DLP, NAC, anti-virus, encryption, etc. translating 'intelligence' into accessible and actionable steps your employees can take to protect the company's 'crown jewels' will ultimately be the reward your business folks will be looking for, appreciate, and best of all, value.

Bring Your Own Device to Work and Help Put the IT Department Out of Work?!?

2011-05-01T19:03:00.001-04:00

I was a having a conversation with another fellow security professional at the CSO Perspectives seminar a few weeks ago and he used the word “disintermediation” to make a point about his website. We had a bit of a chuckle about how that word that was used (rather, overused) during the dot-com days. The context back then was that the new, online world was going to obsolesce the traditional world of bricks-n-mortars through the ‘disintermediation’ process of cutting out the no-value-adding, costly infrastructure of middle-men.

This got me to thinking about the topic I was speaking about at the conference: the way to bring about a culturally acceptable balance between security and the use of consumerized IT. That is, how could IT departments allow users to bring and use their own equipment in the work environment and still maintain a modicum of security and privacy?

Why is this issue even a concern? In this cost-conscious environment where businesses are constantly being pressured to reduce expenses as much as possible, doesn’t consumerized IT actually make sense?

In some ways, yes. The primary downside of this veritable technological tsunami is the impact it has had on the dynamic between the typical user and the IT department. The user demand (especially among C-level types) of bringing in a new iPad, iPhone, Droid, Xoom, etc. that they got for Christmas and expecting it to be hooked up to the company network, inevitably highlights the tension and traditional IT resistance of allowing unknown/untrusted devices into the inner sanctum. The risks are obvious and myriad. These risks have led many organizations to firmly resist consumerization by restricting personal devices/consumer electronics into the workplace.

I argue that regardless of the formal or informal position of the IT department, or even the company policy in general, this faction of users is growing and is in fact disintermediating the IT department by working around them to get their devices to work at work. The ‘Just Say No’ position of many IT departments is in fact making the company less secure overall as it is causing employees to circumvent the rules blockades put up and kept in place from years past.

The driver of this form of insubordination is clear: these days, the boundaries of a company’s information network are not as clearly defined as they were in the recent past - the mobile phone is now the mobile office, for example. The ultimate objective of consumerization is simply work and personal life converged onto a single device. There is no longer credibility in walking around with five devices clipped to your belt, looking like something out of Batman Beyond. Today, if you walk into a meeting and plop down more than one device on the table, you are immediately branded a dinosaur.

The primary theme of my speech was that that the trend of consumerized IT is irreversible and futile to resist, so CIO/CISO/CTOs need to seek a culturally acceptable middle-way of accommodating the movement, while still setting reasonable guidelines. The benefits of cooperation with a workforce who is more tech-savvy than ever are numerous, not the least being the reputation of IT as supporter of the business will be greatly enhanced. No longer IT will be identified as the “Dept. of No.”

Here are few more reasons why it makes sense to listen to the sound of inevitability that’s coming at us at 100 mph. It’s all about productivity via familiarity of the toolset. Think about how life was like 15 years ago: you had use of all the great technology and software at work. When you came home, all you had was some stripped down versions of that machinery and applications – toys, really. Today, the scenario is reversed. Employees who have state-of-the art technology at home can’t reconcile the fact that when they come to work they have a Windows XP, or worse, Windows 98, machine that takes 2 days to boot up. Pent-up user demand (I want my MTV!), especially of the Gen X & Y and Millennials should not be underestimated, and consumerized IT can be the Holy Grail of employee satisfaction.

The toothpaste is now out of the tube, folks. Employees are a lot more productive when they have a say on the tools they use every day. What we as IT professionals need to do is to show leadership & get it right so that the company is protected & users are happy. At least for now.

Fare thee well, Epsilon…A future case study for brand & reputation risk

2011-04-05T21:55:00.002-04:00

Like me, maybe you have received a notice in the last few days from one of many institutions that were affected by a major data breach of Epsilon, an online marketing firm. So far, we are told, mostly e-mail addresses were compromised, but in some cases so were customer names. You might not think this sounds terribly alarming, unlike, say, the T.J. Maxx episode in 2007 that included the loss of 45 million debit and credit card numbers. But you would be wrong

In the T.J. Maxx scenario, only the reputation and brand of T.J. Maxx was impacted. In this case, Epsilon is the service provider to a significant list of top-tier financial institutions including Barclays Bank, U.S. Bancorp, Walt Disney, Marriott, Ritz-Carlton, Best Buy, L. L. Bean, Home Shopping Network, TiVo and Target. The ongoing concern is that customers of these institutions can now be specifically targeted for fraudulent e-mail threats know as ‘spear phishing.’ (Though notice of the breach was sent to me by e-mail, oddly enough

In the T.J. Maxx case, the credit cards and debit cards were quickly canceled and replaced by the issuers (Visa, Mastercard, etc.). And in most cases these days, unlike in the recent past, the customer is not even responsible for the first $50 of fraudulent charges (Bank of America tells me that I will not be responsible for any fraudulent charges!). This lack of material and financial impact on a customer of T.J. Maxx helps explain why after their breach, not only did the sales of the company continue as before, but their stock price suffered no long-term ill effect. Average customers liked what the stores offered in terms of fashions and prices and disassociated the breach itself from the stores and the merchandise.

In the Epsilon case, however, I fear the result will be much more disastrous for them. The publicity around this episode alone is more significant than most other ones like it. Rush Limbaugh actually used the Epsilon example today to sell one of the identity theft products he touts on his show. The actual service offered by Epsilon can easily be replaced, but the untarnished reputation of the brand whose customer falls prey to a fraudulent e-mail cannot so easily be restored. If my identity is stolen after I click on a fake e-mail from my bank, I am going to remember and negatively associate the experience with the bank, not the e-mail marketing vendor who didn’t encrypt my e-mail address and name in their database.

We are not sure yet just how lax Epsilon was in their security controls that led to this incident. Whether or not they were as lax as T.J. Maxx was, will be uncovered in brutal detail in the process over the next few weeks, especially in the security world. Security folks will be using this very case as a way to reiterate the internal message of due care and the need for this or that software or hardware to help protect their own shop from suffering a similar fate.

This unfortunate series of events highlights the kind of brand and reputation risk a firm can suffer when outsourcing even the most seemingly innocuous service. Proper vendor management and due diligence of service providers will be the talk of the town over the next couple of months. Your clients will be asking what and how you do it in your shop, without a doubt. So be ready with a solid response.

Things Worth Fighting For

2011-03-28T19:03:00.002-04:00

I came across a little publicized story this week that presents an interesting parallel to my constant message of privacy & security diligence. Here is the story: The Yamaha Motor Manufacturing Corporation has been making an all-terrain vehicle (ATV) in the U.S. called the ‘Rhino’ since 2003. The Rhino is different than its single-passenger predecessor since it allows for two passengers to sit side-by-side.

Four years later, the company added a few safety updates like more passenger hand-holds. Lawyers for some injured drivers (plaintiffs) jumped on the company’s move insisting that the reason the safety features were added was because the vehicles were not safe in the first place. Naturally, lawsuits piled in. Overwhelming a company with so many lawsuits that it figures it’s easier to settle then fight was the approach the plaintiff’s attorneys took. The attorneys attacking the company even petitioned the Consumer Product Safety Commission (CPSC) to aid their suits by trying to force Yamaha to recall their vehicles.

Yamaha did not feel a recall was warranted and even worked with the Consumer Product Safety Commission to make other modest safety changes that would satisfy the agency.

Most importantly, the company responded to the litany of lawsuits in an uncommon way: It decided to fight back.

The company was ultimately vindicated as it proved that in a significant number of instances, the drivers of the vehicles were grossly at fault due to their own behavior. Though riders are cautioned to operate the vehicle properly, the CPSC investigations indicated that product defects, insufficient warnings, negligence, etc., was not the cause of the injuries.

What’s the takeaway then? The company believed in its product, it believed it had provided sufficient safety and precautionary advice to its customers to operate safely, and it had decided to stand its ground and fight back on a principle of having done the right thing. (How unorthodox!)

And what is the connection to privacy & security? Companies create and publish rules and guidelines all the time for their employees on why and how it expects the employees to follow those policies. Some times the rules aren’t followed. Often, the rules are only words in a document on the company Intranet to make Legal or HR happy. Sometimes the Information Security team is only a paper tiger with little enforcement power or ability to bring about change and assure compliance.

But in some cases, the company itself, usually with the tone set at the top, decides to practice what it preaches and enforce the rule; make examples of those who purposely attempt the flout the rules, and inform those who do it unwittingly.

These days, consumers are savvier than ever about information. They know the value of their information and they want it protected. A customer will walk away from a company who only pays lip service to the principles of privacy & security, and they will excoriate the company online in blogs and forums for doing so.

The twin pillars of privacy & security in a company can easily be an asset and competitive advantage to a company who knows how to leverage that expertise, and maintain its diligence. I know it’s not always easy to keep up the pressure. Employees get comfortable; employees get lazy. IT can sometimes be a hindrance and not a help to getting the business of the company done, so creative employees will go around the roadblocks to meet deadlines. Privacy & security sometimes suffers. When a company becomes lax, or inertia sets in, the guard gets let down and rules are no longer followed or enforced. That’s when incidents happen; that’s when headlines happen.

If a company believes in its principles, believes it has provided reasonably sufficient safety and precautionary advice to its employees to treat and handle information securely, and it decides to stand its ground and fight back against the perpetual inertia of letting violations slide by because its easier than making a fuss, then it has done the right thing. It will fight back and should fight back. Why? Because privacy & security is worth fighting for.

What Does Stuxnet and Rollerball Have in Common? Only The Future of Warfare...

2011-02-03T20:32:00.000-05:00

We have seen the future of war, and its name is Stuxnet.

When I was a kid, one of my favorite movies was a science fiction picture that proposed the idea that in the future, nations would no longer exist and war would no longer exist. The world would be controlled by a handful of international corporations. The controlling industrialists realized the folly of war with its destruction, its carnage, its irrelevance, and resorted instead to a particularly gruesome sport as a proxy for war itself: Rollerball. Primary cities each had their own teams and the teams would battle it out on the hardwood coliseum for supremacy. The movies tagline is: "In the not too distant future, wars will no longer exist. But there will be Rollerball." (Rollerball is like a cross between roller derby, hockey and motocross.)

The original version of the movie (1975) is a bit dated and contrived , but Rollerball does contemplate a future that, in retrospect now seems pretty plausible and a good security allegory.

The worst-case scenario of all-out nuclear war looks unlikely to occur due to a variety of reasons; not the least of which is the overwhelming destruction and the obvious repercussions on the instigator. What is much more likely based upon recent evidence is that States and private industry will increasingly engage in proxy fights through esoteric non-State actors. Numerous examples of these proxy fights exist which include cyber-warfare between entities where the target was obvious, but the attacker was not. In 2007, a three-week wave of massive cyber-attacks were aimed at the small Baltic country of Estonia, where Parliament, banks, and the media were targeted, allegedly by Russian hackers after the Estonians' removal of a Soviet war memorial in the center of the capital, Tallin. In late 2010, companies like Visa, MasterCard, PayPal and Amazon.com were also targets of coordinated distributed denial-of-service attacks, designed to force the websites offline or make them generally unavailable for business by hacker sympathizers of Julian Assange due to the websites' refusal to process payments to support the Wikileaks effort.

To best illustrate the premise that future conventional warfare for most of the advanced world will pose a lesser risk than it has historically, and will instead be replaced by pure cyber-warfare, consider the case of Stuxnet.

'Stuxnet' is a computer worm that was launched in July of last year with a destructive payload that had a defined target: Windows-based industrial systems. The worm was designed very specifically to attack only certain types of industrial systems; like the ones that run nuclear plants.. Unlike most viruses and malware, Stuxnet does little harm to computers and networks that don't meet the explicit configuration requirements of its code. Like a laser sight on a snipers rifle, fingerprinting technology allows Stuxnet to precisely identify the systems it infects The creator of this worm took great care to ensure that only the designated target(s) were hit. A tremendous and sophisticated effort was required to avoid collateral damage.

What was the intended target? It is difficult to say for sure, but this much is known: 60% of the infected computers worldwide were in Iran. It is surely not a coincidence that Stuxnet infected the systems at two nuclear power plants that were hurriedly trying to enrich uranium.

The complexity of the code and the use of multiple programming languages contemplates the idea that only a -State or collection of States accessing deep enough pockets and vast dedicated resources could have the collective skill to create and deploy such a focused cyber-weapon. Most of the blame falls on the U.S. or Israel, in particular, who would ostensibly have the most to gain by stopping or slowing the ability of the Iranians to get nuclear capability.

The supposition then is obvious: this cyber-weapon was created o do what conventional warfare and diplomacy could not by surreptitiously taking out enemy nuclear capabilities like a sniper in the night. Unlike the very public 2007 Israeli air force raid on a Syrian site that the Israelis claimed was a nuclear facility with a military purpose, the Stuxnet attack is a much lower profile attack. The message is no less ambiguous than a full frontal assault and the effect just as valuable. Coupled by the additional benefits of no human causalities, and no political fallout, cyber warfare appears to also be very, very cost effective.

From the limited test case of Stuxnet, we can easily extrapolate to an 1984-like world of cyber-warfare where instead of Oceania declaring war on Eurasia one week or Eastasia the following week, battles will instead be played out over DS3s, T1s and fiber optic networks. Rather than sending one million expensively armed soldiers to invade an enemy, one simple mouse click could deploy a worm or virus that will shut down power grids, water systems or wreck havoc on international financial systems.

It may not be roller derby, but either way, Stuxnet presages the future of warfare.

The TSA Color Coded Alerts: Fade To Black

2011-01-29T16:47:00.000-05:00

Is it any surprise that the TSA announced this week that the color-coded threat system it has had in place since post-September 11th is being replaced?

I will refrain from comment on the new system it the details have been fleshed out and give it a chance to better inform us of what real and imminent dangers we may be in store for.

However, last post I made a point about the threat system having 5 different levels, and never having ever been at the two lowest colors - blue and green. Security Expert Bruce Schneier makes this pithy insight:

"The DHS could have lowered the level to something more reasonable, but that would have been politically impossible. If there were a terrorist attack and the threat level had been blue or green, the DHS would have been blamed for not warning us. Keeping the level high might increase the general dread among some people and cause sniggering among others, but it helps protect the jobs of those charged with keeping us safe from terrorism."

Schneier also goes on to make the great point about our ability to be on alert, which in the intention of the colored system. But always having the alert color be at one of the three highest of the colors puts a tremendous burden of responsibility on average travelers. Schneier says "According to scientists, California could experience a huge earthquake sometime in the next 200 years. Even though the magnitude of the disaster will be enormous, people can't stay alert for two centuries."

He's right. We have to be on our guard for sure, and I always like to say that every and any decision we make day-to-day is a risk-based decision, but we cannot be infinitely diligent. Human beings just don't have the mental ability to be that alert at all times. We can't even text and drive at the same time.

What hath too much security awareness wrought?

2011-01-13T18:27:00.000-05:00

As a creator and purveyor of security awareness, it has always been my position that there is no such thing as too much awareness or the need to be alert and attentive to the possibilities of an untoward or adverse event. So I can appreciate the fact that the TSA or Department of Homeland Security wants to make us aware of new and impending threats to our safety. But in this day of Threat Advisories, patdowns, three ounce liquid limitations, X-Ray scanners and the like, I believe that we have finally crossed the line into the surreal.

Two events this month have made airline security like the annual Simpsons Halloween special. (For non-Simpsons fans, this is the one annual episode where the show takes on a bizarre plot line and completely abandons any pretense of being realistic.)

On January 5th, while over Canada en route to Germany, an airplane's radio went awry, and the pilot thought he put the “No Radio” code (7600) in the transponder but mistakenly entered the code ‘7500’, which means "hijacking or unlawful interference". The crew ultimately confirmed that the issue was a communication issue and not a hijacking. The plane was ultimately diverted to Toronto however. What caused the ruckus? One of the pilots spilled some coffee on the console due to some turbulence, and while trying to clean up the mess the pilot entered the wrong code.

The second story, a day later, was a case where a Florida professor was arrested and removed from a plane after fellow passengers alerted crew members they thought he had a suspicious package in the overhead which was “making suspicious sounds.” That "suspicious package" turned out to be a set of keys, a hat, and a bagel with cream cheese. He was removed from the plane because he took exception to the crew’s questioning, probably reminiscent of the KGB (Where are your papers?!) and was ultimately handcuffed. Note to self: always order the ‘noiseless’ cream cheese.

(I am not even going to tell you about the passenger on a flight from Fort Lauderdale to Denver who was pulled off a plane last week after other passengers said he was “taking too many bathroom breaks”!)

Because of the deluge of awareness warnings and veiled threats to your safety, we have become so prone to over-reacting that now we all jump if we here a loud sound in the airport. Even in the subways in NYC we are urged that if we "see something" we should "say something." Average citizens have become deputized Barney Fife’s with no accountability but plenty of assumed authority, as the bagel and bathroom cases above suggest. Passengers have become the de facto authorities of suspicious or terrorist activities on planes all of a sudden. Now I know that many real threats have been thwarted or suspects captured with the help of average citizens who report tips, but imagine the inundation of false and ridiculous leads law enforcement have to follow-up on when you request the aid of amateurs. As a Muslim man, you almost couldn't get on a plane in the US after 9/11 due to the hysterics that followed. And God forbid if you were flying with a few of your friends.

The Department of Homeland security has five levels of alerts: Low = Green; Guarded = Blue; Elevated = Yellow; High = Orange; Severe = Red. Since the introduction of the system in 2002, we have never had a Green or Blue status, only Yellow, Orange and Red. Do you know how many times it has been changed since 2002? No? Why would you? Do you get to keep your shoes on instead at the airport when the threat is lowered? No. Do you see any real improvement in security after they raise the threat? Not really, but you do see some procedural changes in which the government and TSA react to the last threat - not necessarily a future, possible threat. How many other shoe bombers have we had since Richard Reid? (None) How many additional underwear bombers have we had since the Underpants of Mass Destruction attempt (None) Boxcutters? You get my point... (By the way the Threat Level has been changed 16 times since 2002).

If I have learned anything about security awareness training and campaigns is that though people can deal with the constant reinforcement of subtle awareness messages, people quickly become desensitized to hysterical warnings, especially if they see no immediate crisis to warrant the warnings. The most effective training, in my opinion, is to mete out the awareness with intelligent, well-reasoned arguments about what is the best behavior and what the possible risks might be. Both 'Chicken Little' and 'The Boy Who Cried Wolf' approaches are proven dead-ends.

The Right to be Forgotten Exists In Some Cases...Like This One.

2011-01-02T19:29:00.000-05:00

In these blogs I have often presented the perils that we face if we unthinkingly post pictures, opinions or tweets about activities or events we have engaged in or have experienced. The takeaway has always been that the users must analyze every possible aspect of what his or her post will or may be construed as, not only now, but five years from now when, for example, the adolescent is applying for that position at a respected organization, scholarship at some Ivy League school, or even a prospect for a first date.

Most people rightly have no sympathy for smart individuals who should otherwise know better, and who cannot self-censor. At this stage in the evolution of social media, we all know how data persists forever, and what you post or say online should be something that you should be prepared to live with, or defend, forever. (You do understand this, right?)

But what about those that can't defend themselves?

You may have missed this recent story but it is a frightening example of how, though no fault of their own, two children, 4-and-5 years old, will forever be affected by the ubiquity and persistence of information in the public domain.

Here's the story: an 87 year old woman with a walker was knocked down by accident on a street in New York City by one or both of the two children, 4-and-5-years old ,who were riding their bicycles. The woman had to be taken to the hospital. She subsequently died 3 months later of unrelated causes. The old woman's estate sued the parents of the children claiming negligence: they should have been supervised better, the suit asserts.

A judge in NY state ruled that the kids could be sued in a civil injury context and the names of the children were then made part of the public record, as is customary. Ultimately, the New York Times reported on the case due to its extraordinary nature, and the kid's names have now become more widely distributed. A common practice in the world of public law has now uniquely, and probably permanently identified these children in a less than positive light for the rest of their lives.

Though the parallels between a post on Facebook, LinkedIn, Twitter or MySpace, and the publication of the two children's names may seem unrelated and dissimilar, they have one component in common: the perpetuity of the information. The issue is not that the legal process required the publication of the defendants names in a public record; that procedure has been common practice for hundreds of years. The issue is more the fact that the memory of online databases and search engines is or will be assumed to be infinite.

Ten years from now when the classmates of these two children do Google searches on all their friends, what do you think the top search result will be? How do think teenagers in high school will likely interpret and process that data? (Johnny killed some old lady when he was 5?!!). I doubt that Johnny will see that past experience as a possible résumé enhancer.

It is inevitable and to be expected that a future Human Resource manager will do a Facebook or Google troll on you to see why they might not want to hire you. What do you think the impact will be on the job prospects of these two kids when this case comes up on the search? These two children may always be haunted by the persistence of memory and will not have the privilege or the right to be forgotten.

Playing dumb worked for Anna Nicole, but doesn't work for a business

2010-12-23T15:52:00.001-05:00

I finally had my first experience with the new backscatter x-ray machines at an airport security line last week. I was unable to see what the TSA saw as they looked through my clothes, though I did walk away with a few observations of my own.

First, as I was about to go through the usual metal detector device, a TSA agent asked to remove my belt. How this little piece of a belt buckle could take off a bottle cap, let alone take down an airliner is beyond me. Since I never proactively remove my belt, the time wasted and humiliation element of the experience notwithstanding, it is the inconsistency of the request that most disturbs me and shakes to the foundation my faith and trust in the staff at the TSA.

Since I admittingly gave the TSA agent a little bit of attitude for her asking me to remove my belt, (but allowed me to keep on my chunky, solid steel watch which in addition to weighing 5 times more than my belt buckle, could probably represent a weapon of mass destruction if thrown hard enough), she then asked me to step into the backscatter x-ray machine. The watch did not set off the metal detector by the way. Never does.

Second, though I (hopefully) do not represent an obvious threat to airline safety, as I possess none of the notable, empirical characteristics associated with would-be terrorists (except being a male): young, from middle-eastern or African descent, possibly Muslim, on a watch or do-not-fly list, possessing a one-way ticket, paid for ticket in cash, no checked luggage, sweating or fidgeting in line…I could go on. I am, in contrast, a frequent flyer, family man and in no possession of any radical views or positions (other than privatizing or otherwise banning the TSA.) Had any other terrorist ever boarded a flight with a Kindle?

So I took the request to go though the x-ray scanner as a purely punitive measure on the part of the TSA agent – not a random check, mind you, but a minor punishment as only a petty tyrant with no other power outlet than that at her disposal might inflict.

Finally, I had to remove everything – literally everything – out of my pockets including my wallet and 3 small vitamins before the scanner would work. Isn’t the point of the device to be able to detect stuff in my pocket or in my person?!?

In theory, I am not opposed to security measures to prevent or thwart terrorism on airplanes. I am one of the primary beneficiaries of security since I travel so much and am statistically more likely to incur an incident than your average American. What I do always question however, and I’ve said this before in previous posts, is the seeming lack of consistency and reason behind much the decision and apparatus in place. The response is that it is done intentionally so as not to allow terrorists to get comfortable with the TSA technique’s. Playing dumb so as to allow the enemy underestimate you? Fine. Classic move from the Art of War. I would love that idea if it could ever be true of the TSA.

Playing dumb, however, should not be an operational strategy for a business. It doesn’t work for me at my job, at home or anywhere else in the real world. The market severely punishes any company in the private sector if that is their approach – it does it all the time to drug companies that fail FDA tests or mischaracterize the benefits or uses of their drugs. And these kinds of events kill more people than terrorists have ever done!

Let’s privatize the TSA and hold them to the same standards as a private company. Once we make them play by the same rules and standards of transparency as the private sector, then we can begin to peel away the layers of charade and concentrate on the real measures of security that will ensure flyer’s safety without having to frustrate us into submission. And let us keep our clothes on and our dignity intact.

Have a 'pat down' this holiday season? Don't be afraid to invoke the "P" word for better security.

2010-11-28T20:12:00.000-05:00

As the holiday travel schedule ramps up, so does the fervor and objections over pat downs and invasive screenings at airports in the United States. People recently subjected to these "love pats," as a Senator from Missouri innocuously (and ridiculously) referred to them, are in for quite a shock if they fly anywhere where else in the world except, say, Cincinnati or Des Moines.

As any frequent international traveler can corroborate, very intense and 'hands on' searches occur in almost every other international airport in the civilized world. Try flying through Frankfurt and not be subjected to a body search that even your family care doctor would find comprehensive. And these are not new procedures; I can remember the same thoroughness in place at Frankfurt, Heathrow and every Indian airport I have flown through for the last 5 years.

Why are Americans so indignant about the new procedures? Since when is flying a constitutional right? This is not healthcare; if you don't like the scrutiny you are subject to, you are welcome to use a car, train bus or boxcar. Inconvenient? Sure. But so is political correctness, it appears.

In this country we are so terrified to offend any person of any race, creed, religion or origin that we will go out of our way to inconvenience an almost total majority to show how fair and even-handed we are to any minority. This approach to security is 180 degrees different than the one the Israeli's take. You won't see any nuns, 80-year old grandmothers or 4-year olds being body searched. What you will see is a laser focus of their resources on the most likely and foreseeable risks to the safety of their citizens and the airlines. As I love to say, every decision you make is a microcosm of risk management.

In American and European airports, in particular significant volumes of traffic moving through them have required their associated security procedures to rely mainly on technology for screening luggage and detecting passengers with ill intent. Israel’s security philosophy, however, is based on a blend of advanced detection devices and personal interaction with the passengers. Granted, the primary airport in Israel, Ben-Gurion International, handles only about 12% a year of what U.S. airports handle annually, yet here are still some lessons we can learn.

Passengers are questioned from the time they drive up to the airport, until they are ready to board the plane. Usually, each person is questioned two or three times by different security agents, to ensure the story is consistent. Arab or Muslim passengers get extra-thorough screening, as do non-Jewish tourists. The Israeli method does not limit itself to only the profile of the 'typical' terrorist (if they exist anymore), but instead spend time questioning or searching anyone who appears nervous, flustered, inconsistent or just not right.

No airplane has ever been hijacked from Ben Gurion since the Israelis are not shy about deploying the "P" word - profiling. In the U.S. that word is such a hot button since it is typically associated with another taboo word - 'racial.' So when you add 'racial' and 'profiling' together, you have the most volatile term in the American lexicon - racial profiling.

For very good reasons, racial profiling is wrong, and more importantly for security and safety reasons, it is inefficient. Terrorists are not stupid; they have started recruiting other willing accomplishes who are not the once, tried and true terrorist profile: young, middle-eastern, Muslim males. If we continue to focus efforts solely on this cliché of a potential threat, we will always be chasing yesterday's news - with disastrous consequences.

Ironically, since early January of this year, the United States has in fact introduced new requirements based on a travelers’ country of origin or citizenship. Citizen's from 14 countries — including Afghanistan, Nigeria, Pakistan, Saudi Arabia, Yemen and Syria — are now required to undergo an extra search before getting on planes bound for the U.S. America. Profiling? Probably. Racial profiling? Definitely! I would argue that even enunciating and singling out these 14 countries is short-sighted and will ultimately be unproductive. If I was Al Qaeda, I would make sure that all of my next 100 recruits did not have passports from any of these countries. How easy would that be?

So what are your options this travel season? You can subject yourself to the patdowns or get your revealing full body scans (with you assuming the "I surrender" hands position), and "Say nope to the grope." Or, you can start to demand that we drop the inefficient, ineffective and politically correct way of American security screening: treating every traveler as if they were a possible terrorist. And instead, start to incorporate better and more efficient techniques from others who have learned and incorporate the art and techniques of risk management.

India Gets Into The Identity Race

2010-11-14T07:05:00.000-05:00

I have spent the last 10 days in India concluding my 12^th visit in 7 years. I have seen quite a noticeable progress in the rickety infrastructure each and every time I go, as India walks away from the past and races to the future. However, this time I saw progress in a different, less obvious way.

Last month, the Indian government rolled out the first country-wide AADHAAR ('foundation' in Hindi ) to an Indian resident. This will be a unique 12-digit identification number, like a social security number that ultimately all Indians will possess. The government hopes to complete and issue at least 600 million IDs to its 1.2 billion citizens by 2014.

Currently, there exists a limited quasi-social security number in India, however the government is intending to reach out to the rural and less connected masses as part of the program. Formalizing and documenting the 'official' identity of millions of the rural poor will, among other things, help them bypass more expensive money-lenders and tap into the formal banking system. What is unique about this initiative though is the format and approach to the effort, and how it dramatically differs from the similar process in the United States.

In the US, as you know, all babies at birth are issued social security numbers, along with a snappy little bluish-white paper card (that some people still bizarrely carry around with them!?) printed with a unique nine-digit number. As easy as it is to counterfeit or replicate it, some places, believe it or not, still ask for the card as some legitimate proof of identification – think of the DMV as you try to renew your driver's license. No surprise there.

The AADHAAR, however, will be printed on a smartcard or other official document that will include 3 factors of identification unique to the person: an iris scan, a photograph and all ten fingerprints. To get a number, Indians will have to physically go to an enrollment agency and submit their credentials that will ultimately be collected in a central repository.

Orwellian fears and privacy concerns aside, what this will mean to the Indian economy is monumental. Soon, millions of Indians who are otherwise prevented from participating in the growth of the sizable economy will now be plugged into the system and able to leverage money and services that were never available to them before. In turn, millions, maybe billions of rupees in revenue that would have gone to the black market or otherwise unreported (and untaxed) can now be put to better use. Think of the number of new jobs that will be created to both implement and support this system once it is effected.

These new jobs won't all be the classic government-teat-sucking positions that you might think they'd be. Software has to be developed and supported; card readers will have to be created and deployed. All areas of the private sector will be prodded to build new ways to accommodate and authenticate their customers across a number different mediums. The US should take note here as the rest of the world moves to smartcard technology, while we stick with traditional magnetic strip technology and easily forged driver's licenses.

India will face many challenges as it attempts to implement a process like this, as it does with almost everything else that happens in that country. What will be most interesting to watch is how and if it is ever able to play catch-up and issue every citizen an AADHAAR. With a target rate of 10 million cards issued every four months, and a population growth of 4 million new people every quarter, it will be a very tough race to win.

Privacy & The Risks of Visibility

2010-10-12T21:39:00.000-04:00

True story: a woman in New York tried to sue the manufacturer and distributor of an allegedly defective office chair after she fell out of the chair, claiming "serious permanent personal injuries." She alleged, among other things, that she had "pain and progressive deterioration with consequential loss of enjoyment of life."

Lawyers for the chair company were naturally suspicious because a recent photo of the Plaintiff on the internet showed her smiling and standing, without apparent assistance, instead of living the pain-filled existence she was asserting in her lawsuit. (She claimed she was confined largely to her bed and house.) Seems like she also took a recent trip to the Sunshine State, and appeared to be generally enjoying life. So then, where did the lawyers dredge up this seemingly damning evidence? Private investigators? GPS satellite photos? CSI? No. Where else? Facebook.

With good reason, lawyers for the chair company trying to determine if the case had any merit and if the injuries sustained were as severe as the plaintiff made them out to be, had trolled the internet. Finding evidence on Facebook (D’oh!) that the claim may not have as much merit as initially asserted, the chair company pressed a local NY judge to allow the company more access into the woman’s social media sites(!), Facebook and MySpace.

Essentially, the judge - Acting Justice Jeffrey Spinner of Suffolk County Supreme Court - told the plaintiff that she must allow the chair company access to her social media sites since “in light of the fact that the public portions of Plaintiff's social networking sites contain material that is contrary to her claims and deposition testimony, there is a reasonable likelihood that the private portions of her sites may contain further evidence….all of which are material and relevant to the defense of this action." Again, since someone posted something online contrary to their best interests, notwithstanding whatever privacy settings she thought she had on the sites, she now has practically incriminated herself.

Social media has really become the third rail of identity in the last 5 years. We have our professional online identities (and even places to post pictures of us in suits and ties – LinkedIn, Plaxo), our online personal identities (Friendster), and now the two big ones, Facebook and Twitter, that ever increasingly blur the line between personal and professional lives. Look at how sales people create Facebook pages, for example. The really good ones make it hard to differentiate who their friends are and who their customers are. Either way, they make it very convenient for other people to find them with lots of freely disclosed information.

Back in the old days, when you wanted publically available information on someone, you had to take laborious steps such as going to a county courthouse, or some other house of public records and spending the day looking up details in big, dusty official books. Each individual had to be investigated one by one. However, today, the internet, and specifically social media sites have now become the new public record. Instantly someone can search for info about you, not only across most public databases, but across other sites that you have voluntarily input data to be collated and analyzed, usually to your detriment.

Think about how human resource departments typically work. They get a hundred resumes for one job opening. In theory, they are looking for the right person; in reality, they are looking to weed out the wrong people. Though they could not admit it, they use social media tools and Google searches to build or justify a hunch, prejudice or bias against you as a candidate. It makes sense from their perspective. You cannot really blame them; it is just their way of doing a risk assessment on an unknown risk, you.

Security through stupidity.....still! Thank God!

2010-09-09T19:16:00.001-04:00

Did your company suffer through the "Here you have'' virus, as it is now being called? It was one of the few exciting security events to happen to us guys in a number of years.

Good news: these inconveniences are becoming fewer and farther between as our technological defenses are getting better and smarter.

Bad news: we still are relying on the human element as the last bastion of protecting ourselves against basic attacks like this.

Worse news: even at the human level, the reason that many attacks don't make it is because the attackers are still seemingly unable to both spellcheck and put proper punctuation in sentences...the dead giveway to a bogus e-mail....still.

Look at an excerpt from the 'Here you have' example:

"This is The Document I told you about,you can find it Here."

See the mistakes? Capitalized words in the middle of a sentence, sloppy and incorrect punctuation, etc. Either the bad guys in this situation are either not native English speakers, or they were just stupid or lousy students who goofed off in English class.

Either way, we will only have a short period of time until these types finally get their act together and learn how to use that super-sophisticated advanced technology tool known as 'spellcheck.'

The Social Engineering Attack: Men vs. Women.

2010-09-06T16:32:00.000-04:00

As summer fades to a close, and we mentally resign ourselves to getting back into work, I am interested in a recent contest that was just held about social engineering and how men and women fare differently against social engineering attacks.

For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.

This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.

But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.

The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."

This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.

Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....

Update: Is this the Roe v. Wade of Privacy Cases?

2010-06-23T20:20:00.001-04:00

To follow up on my post of April 16th about a police officer, Jeff Quon, in Ontario, CCalifornia who was suing his employer for reviewing his personal texts on a company-owned and issued pager, The Supreme Court, amazingly, ruled 9-0 in favor of the Ontario Police chief, claiming that because there was reason to believe a work policy was being violated, his search of Quon’s texts did not violate Quon’s 4th amendment right against illegal search and seizure; the court ruled that the search was reasonable. Did I mention that the texts were sexually explicit? And were to his girlfriend, ex-wife, and another colleague?! (Women must love a man in uniform.)

This case is interesting for two reasons: secondarily, it is reportedly the first case on record to involve privacy issues regarding texting at work on a company-issue device.

But the main reason this case strikes me as revolutionary is that I don't think people realize just how close to Armageddon we really were if the decision had gone the other way...can you imagine the nightmare for IT, and for Legal if they had to try and perform discovery on company-owned devices that were constitutionally protected? This is the very model of privacy that Europe has today where the employee's privacy takes precedence, as opposed to the U.S. where there is no expectation of privacy in the workplace (usually). If the decision were for Quon than we would have seen a slew of other cases that would have fundamentally changed the way IT and Legal administer hardware and access in the workplace.

I feel like Earth just dodged a huge asteroid, but most people were distracted watching World Cup....

One Step Forward...Two Backwards...

2010-05-09T17:24:00.003-04:00

The Step Forward….

Based on how young people use the Internet these days and what they deem fit for universal public consumption and disclosure, I have believed that for a very long time that they do not fully understand the implications of privacy and what it might mean to their personal and professional lives in the near and long term. Like impetuous youth, many do not think beyond the 30 minutes their attention spans can handle most days.

However, a recent story I read in the New York Times gave me some renewal of faith in the ‘yutes’ of the world as they begin to realize that self-censorship might be one of the most beneficial actions they can undertake in the protection and advancement of their current and future professional lives.

What many of these young people are quickly realizing is that not only are future and prospective employers trolling social media sites like Facebook, MySpace and search engines like Google for evidence of the candidate’s character, or other activity that may be representative of action ‘unbecoming of an officer’, but college admission offices are doing the same as well.

As an employee, you publicly represent the company; as a student, you are also a public representative of a college too. And as any business, (with the possible exception of the Hell’s Angels, I would imagine), public relations is a key element in the continued success of the college as it aims to turnout fine, exemplary products who represent the best of what the institution has to offer. So in addition to removing from their social media profiles any incriminating or questionable pictures, links, group associations and even political affiliations, some very canny students are starting to change the names of their Facebook profiles as early as Junior year so as to throw off the scent of the college admission snoop who is trying to determine if little Suzy is a collegiate candidate worth of the Ivy League institution’s hallowed sheepskin.

The Two Steps Back part…

Obscuring the details of one’s online avatar seems like a lot of work and possibly hardly worth the effort considering the risk to your privacy that someone might actually find you online. If you think that you will fall way under the radar of such important and busy people to waste their time in trying to find out if you have any drunken Mardi Gras pictures on your Facebook page or not, consider this website: www.peopleofWalMart.com. This website features pictures of actual customers of Wal-Mart taken by other customers and then uploaded to this site – without their permission or knowledge. The site claims itself to be a “satirical social commentary of the extraordinary sights found at America’s favorite store”.

Forget worrying about if your online privacy is being encroached upon or used as a factor in deciding your future, what this site tells me is that you cannot even take a quick trip to Wal-Mart in your scurvy, old pajamas to pick up a box of Q-Tips or Shake ‘n Bake without escaping the Black Hole of the ‘public domain’.

Is this the Roe vs. Wade of Privacy cases?

2010-04-16T07:55:00.000-04:00

If this isn't the Roe vs. Wade, or Brown vs. Board of Education-type of landmark case for privacy rights, then I don't know what is...

Here's the story: A police department in Ontario, Calif., issued two-pagers pagers to its SWAT team, and initially told the team that any messages sent via the pagers would be treated just like computer e-mail is, with no expectation of privacy for the contents.

After a few months, the Police department lieutenant then reversed his position and told his subordinates that the department would consider any messages sent via the pagers private and would not review them only if the officers paid for any personal messages beyond a monthly character limit of 25,000.

A few months later, the police department decided to review its policy to determine if it needed to increase its monthly limit. The department reviewed the transcripts of one of the users with the most texts, a Sgt. Jeff Quon. What they found when they reviewed the messages was that Quon had exchanged hundreds of (what else?) sexually explicit messages with his estranged wife, his girlfriend and another member of his team (I guess there is no crime in Ontario with all this free time.). The Sergeant paid for all of the messages he sent, but he was eventually cited and reprimanded for using department-owned property for both personal use on the job, and for using obscene language on the device, which is a violation of department rules.

Quon, along with the ex-wife, girlfriend, and fellow officer involved with the messaging, all brought suit against the department for privacy violations.

The U.S. Supreme Court takes up the case next week.

The question is this: is the general expectation of privacy inviolate enough to rule in favor of the Sergeant. Or, should the US-oriented policy of ‘there is no expectation of privacy on any company-owned or issued equipment’ rule the day in favor of the police department?

This the first real, substantive case to test privacy rights in the Internet era The issue at the heart of the matter is whether personal messages are indeed private when transmitted by an electronic device provided by an employer. But here is why this case really matters in the long run: texting on a pager aside, what happens if you are using e-mail or Facebook or Instant Messenger to communicate with parties outside of your employer? Should those messages be the property of the company since they were transmitted using company-owned devices? What about the privacy rights of the parties that you are messaging? They do not work for the company so why should their privacy rights be infringed upon by the employer of the sender?

Next week’s decision could be a simple reaffirming decision of individual rights being protected, or a very ominous sign about the impending and continual loss of rights and privacy in the digital age. Either way, you should pay attention.

The Privacy Premium....a.k.a. the 'Privacy Tax'

2010-03-28T16:22:00.000-04:00

To continue in the vein of my last post, I wanted to dilate a bit on the idea of the privacy premium. As I started earlier, I don’t think it is too unreasonable to imagine a society in the not too distant future where privacy and security, or the privilege of it, becomes monetized enough to the point that it is not just marketed as a competitive advantage, but as an added ‘feature’ that company will charge you to implement.

We have had for years small examples of this idea in practice. Think about the security on your house; you have locks on the windows and doors but that’s about where it ends. For an additional cost, you can contract with a security service that will provide additional security piece of mind over-and-above what you practically get for free now. Recall my previous blog example of how today you pay an extra cost for not having your name in the phone book. Think about that for a second – we actually pay extra so that people can’t find us! See what I mean? What was once a status symbol, has become a privacy albatross.

At the far end of this spectrum will exist a service that erases all of your digital existence from any and every site or network you ever used or registered. So, no Google or Bing search will ever bring back any indication that you ever even looked at a computer. All for a fee.

Today, we already have two very stringent state data security laws, Massachusetts and Nevada, which call for, among other things, encryption of sensitive on any devices that are portable (what device isn’t these days?). Any size company that holds or processes the data of the residents of these two states are impacted, regardless of whether or not they are a ‘financial institution.’ Encrypting data is not easy; and it is not cheap. Small companies will inevitably be unduly burdened. The extra costs that these companies incur will have to be passed on somehow. Where and how do you think the costs will go and in what form? Higher costs of goods and services to the end users, of course. Translation: a privacy tax.

How does this sound for a marketing pitch? “We back-up all of our customer’s data on media that goes offsite every week to ensure continuity of business. Want to ensure that your data is truly private and secure, and from the threat of being lost or stolen? Of course. You will want to ensure that you select the “Assurity” option when you enroll in our program. For only an additional $5.95 a month, you will have the piece of mind of knowing that your personal information is put onto our secure, AES 256-bit encrypted tapes which reside in a hardened vault, safe and secure from prying eyes….”

Privacy À La Carte

2010-03-02T02:31:00.000-05:00

Maybe you've already heard of a recent incident in a Philadelphia suburb where a school district gave a student a laptop to take home and use. What the student did not know was that the web cam on the laptop could be remotely activated and images could be captured and viewed by teachers. (Ostensibly, the laptop was configured to capture images of the machine’s user if it was lost or stolen.) The way the student found out that something was wrong was that a teacher reprimanded him for “inappropriate behavior” – at home! (Via the webcam, the teacher thought the student was taking pills, but it tuned out to be Mike & Ike’s candy. I know, I know…happens to me all the time, too.)

The lack of boundaries of privacy has only been exemplified with this web cam issue. The lines are increasingly grayed between where one’s responsibilities end and another’s privacy begins. Technology has all but shattered the partitions that used to exist in society used to areas of black and white. What is curious though is that the boy and his family are screaming about his privacy violatd, but he and his entire family have already begin the media tour, appearing on CBS' The Early Show the Saturday after it happened. (Translation: We value our privacy, unless we can extract some value out of it....)

The genie is out of the proverbial bottle with the state of privacy we once enjoyed. I envision a near future where privacy is no longer the quasi-right that people think it is today (BTW, the word ‘privacy’ is not mentioned even once in the Constitution); it is or will be a monetized privilege. Sort of like a drivers’ license is. Consider privacy as a ‘pay for service in future. You want privacy? You pay extra – like the extra cost you incur for not having your name in the phone book.

As we surrender ourselves evermore to the Siren’s call of convenience that technology sings to us, you either plug your eyes and ears (that is, stay off the grid, or at least off Facebook, Twitter, MySpace or any reality show), or do what Ulysses did when he and ship passed the island of the Siren’s; he had his crew tie him to the mast and refuse to let him go no matter what he said.

That is, he dealt with it

Note: Wikipedia notes that “the term "siren song" refers to an appeal that is hard to resist but that, if heeded, will lead to a bad result”.

Is Privacy dead? Or just Modesty?

2010-02-20T20:21:00.000-05:00

As I have noted before, Sun Microsystems co-founder Scott McNealy was famously quoted saying: "You have zero privacy anyway. Get over it." But that was said way back in 1999!! Back then, there was no Facebook, no MySpace, no Twitter, nor LinkedIn; Google was barely a year old.
And privacy was already dead?!? (Where was I?)

Mark Zuckerberg, CEO and founder of Facebook recently said in an interview that "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time." And then went on to say that “ …we view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are," he said.

Interesting. So is Facebook and other social networking sites only reflections of what is currently acceptable in society at this point in time? If that is the case, then why must there be laws, for example, against drunk driving if people should know when to quit (the social norm) and not to do something dangerous like get behind the wheel after too many cocktails? Yet we have had to put laws in place that actually define what is drunk in the legal sense (i.e. blood alcohol level). Self-regulation, at least in this instance of personal behaviour, does not universally work out so well.

So what drives what? Does Facebook reflect the new normalcy of openness or does it merely provide an outlet for pent–up desire for everyone to engage in a community, share some intimate details with friends (but mostly acquaintances), and attempt to parse the much desired 15 minutes of fame into smaller, longer bits. Are our egos crowding out the sense of Victorain modesty that used to prevail in company of strangers, or even friends? With 350 million users now on Facebook, it is difficult to believe that only the extroverts have inherited the Earth…..

The question is: are sites like Facebook (not the only enabler here) simply the exploitation tool that drives the users to reveal more private detail, or rather, just the medium? Social networking sites like FB can be no different than videos like “Girls Gone Wild.” This outlet more than enables bad behavior; it rewards it with some kind of validation and exposure. But then again, should I be able to blame the New Jersey Turnpike for me being caught going 100 miles an hour…..?

2009 Privacy Putz of Year Award

2009-12-29T17:31:00.000-05:00

In the tradition of the year–end custom of awarding something or someone with a “Best of” award for outstanding achievement in a particular category, I have decided to do the same with the area of privacy – with a bit of a twist. We constantly hear about of our loss of privacy as one of the chief byproducts of our interconnected, always-on world, and how we are barely grasping to what’s left of the shredded veil of secrecy behind which we were so used to hiding. I thought it would be more interesting to award the one person who has done the most to willingly obliterate his or her right of privacy.

So, welcome to the 1st annual ‘Privacy Putz of the Year’ award. Unlike the complexity of trying to choose who has done the most to advance the interests of privacy and security in our culture and day-to-day lives, it was comparatively simple this year to highlight the individuals who have done the complete opposite of what makes sense as it relates to try and maintain one’s anonymity and low-profile in this quasi-Orwellian world of me, me, me on the Web and TV.

For this year’s inaugural award, I decided to forgo the obvious, the deluded attention-seekers who were purposely willing to give their privacy away for a small taste of the nectar of fame. It would have been too easy, for example, to choose one of the three top higher-profile candidates: first, Nadya Suleman, the so called “Octo-mom”. This is the lady who recently produced a set of octuplets and then signed on to her own reality show so we could all voyeuristically enjoy another person taking care of their kids, only in this case it was 14 of them at the same time time. What was more interesting about Suleman, however, was that the world soon found out that this 33-year-old single mother already had six children who were born, just like the octuplets, through in vitro fertilization. (Six isn’t enough?!)

The second candidates I quickly discounted were the White House party crashers, Tareq and Michaele Salahi, I spoke about in my last blog who must have been shocked, shocked I say! that their personal lives would be so scrutinized after this little misdeed of theirs. However, to their credit, the Salahis did organize their Facebook page very nicely, fully detailing every person and dignitary they met that night, with glossy color photos in case the Secret Service didn’t know where to look for evidence of the security breach.

Finally, the last obvious candidate that was too easy to ignore was the pair of Kate and Jon Gosselin. These two have been so overexposed in the media and their story has been so hashed and rehashed that it warrants no further comment from me. They have reaped the wind; so let them now sow the whirlwind.

As for the viable candidates, First Runner up to the Privacy Putz award goes to one Craig Lynch, a 28 year-old prison escapee from Suffolk, England, who escaped from prison back in September but has not been content to just keep the low-profile of your average bloke who manages to make it over the prison wall, but has continued to update his Facebook status regularly - describing everything from what he had for dinner to who his next girlfriend in the New Year might be. This might be the digital version of the trail of popcorn…

But the real winner of the Privacy Putz Award for 2009 goes to the one individual who in my opinion did the most harm to her own privacy, the most to undermine her overall well being and anonymity, and that person was one Natalie Blanchard, an IBM employee from Quebec. Ms. Blanchard was out of work on long-term disability for depression for 18 months when suddenly her insurance company, Manulife, immediately terminated her monthly payments. How was it that the company came to such a definitive diagnosis of Ms. Blanchard’s ostensibly legitimate condition? A psychological examination? A thorough medical evaluation? Rock, paper, scisssors? Nope. Ms. Blanchard, actually, was apparently only too eager to assist the company in its conclusive diagnosis of her remarkable recovery from major depression.

Blanchard undermined her own case by posting certain pictures and status updates of herself on her Facebook page. What’s wrong with that, you ask? Well, in the past 18 months while she was “recovering,” a series of pictures she posted on her Facebook page show her taking the time-tested remedy for depression by attending a Chippendale’s male strip show while on vacation. Other pictures showed Blanchard at bars, beaches, and on three other 4-day holiday trips, which were recommended by her psychologist all the while collecting the benefits from her job at IBM. A Facebook status message said that she had climbed a mountain recently, as well. You go, girl.

It appears that her privacy settings, or lack thereof, on her Facebook page allowed either someone from her company or someone from the insurance company to view her tell-tale postings, because when she eventually called the insurance company to inquire why her payments had abruptly ceased, the reason given was that according to the photos and postings on her Facebook page, Blanchard was apparently no longer depressed! Wow! Manulife was able to diagnosis Ms. Blanchard essentially through hearsay, assumption and innuendo all from the comfort of the office PC. One small step for psychology; one giant leap for Manulife. Case closed. It’s a Holiday miracle.

Congratulations to Natalie Blanchard for the 2009 Privacy Putz of the Year award. Well deserved.

As I attempt to emphasize in every blog post here, we now live in a post-privacy world, devoid of the traditional trappings of common sense, guilt, shame and discretion. Using tools like Facebook, MySpace, Twitter, and even blogs like this puts your life, opinion, ideology and in some cases private life right out on the web for all to see, and see it forever.

Just think, the world used to be your oyster; now it is your fishbowl.

Happy New Year.

The Paradox of Privacy - Part III, The Exciting Conclusion

2009-12-01T21:31:00.000-05:00

I hadn't intended this piece to run beyond one part, let alone two, but there are just too many interesting things to discuss about who the biggest threat to your privacy is…

I want to discuss the recent event of the two publicity seekers who crashed the White House state dinner last month. Their obvious desperate need for attention and B-List fame reflects what Andy Warhol said about everyone: we all want 15 minutes in the spotlight. Some get it. But at what cost? What the party-crashing couple is now finding out about the dark side is fame (even fleeting, undeserved fame like theirs) is what the first casualty always is: privacy.

Because these two miscreants put themselves in the spotlight willingly, it is obvious that the last thing they wanted from the experience is anonymity. What they are now and will experience a hundredfold more is the degree to which the blogosphere will go to turn over every stone and look for every skeleton in every closet to attempt to (rightfully) embarrass these two. What they will find is that they have awakened a sleeping giant of spite and vindictiveness that will rain down all hell upon them. You can see it already occurring by the revelations that the couple is involved in a plethora of lawsuits, bankruptcies and intra-family fighting.

Why? I believe primarily that Americans are easy lot to entertain and amuse - American Idol, People Magazine, NASCAR don't require much brain matter to process - but the one thing we demand is that our 'celebrities' bring something to the table. Michael Jackson, Tiger Woods and Oprah are famous for a reason - talent. Talent is their currency and we exchange it for fame and adoration. We realize at some level that we cannot easily be like them because they are 'better' then us in some unique way. The couple that crashed the White House is not better than us in any way; we resent their pretentiousness and base arrogance that is offset with nothing in return - it is a classic bait and switch. That they could crash the White House party - okay, good trick - but what do we get in return? A vacuum. Luciano Pavarotti could be arrogant; Bill Gates can be arrogant; Dr. J can be arrogant, he was after all one of the greatest basketball players that ever lived. These two, however, deserve what they get.

Most of only give up our privacy piecemeal – a bit here for some small convenience, a bit there for a 25% off coupon, etc. This couple relinquished their personal privacy wholesale with this selfish and thoughtless antic. Who will they have to blame for the sudden and very public loss of privacy? Who else? Themselves. I hope it was worth it.

The Paradox of Privacy - Part II

2009-11-15T16:03:00.000-05:00

I want to continue my discussion from last month one of the biggest threats to your right of privacy - you.

If you have a Facebook account you probably get 10-15 requests a week from your Friends to answer or play games or contests that require some personal information to be input or revealed - the most famous and pervasive application was the "25 Things You Don't Know About Me" which took the Facebook community by storm over the spring and summer.

Notwithstanding that fact that you get to know random, irrelevant and mostly inane 'facts' about your friends and friends of friends, what is more insdious is what you reveal to them and the world at large. Since most cases of identity theft are commmited by people that the victim knows well or has some relationship with, it is not improbable that you may have 'friended' that person on Facebook as well. Now that they know what your first dog's name was, or favorite grade school teacher, or that you eat peas with a fork, that insight allows them to glean little bits of info about you that helps build a case of identity theft. Think about all of the websites that ask either passwords or security questions for credentials. You supply very similar information as the answers, and in many questions also provide your own questions - some which mirror the ones asked by that Facebook application iself. Perfect fodder for ID thieves....and most valuable because it comes right from the source.

So think before you surrender little pieces of your personal life for what you may think to be only harmless and transitory amusement (and for free!). It may have some very long-lasting and unwanted repurcussions.

An effective incident response process

2009-10-10T16:14:00.000-04:00

Thanks to the great people at SC Magazine for publishing this piece of mine.

Security and privacy incidents pose real risks to companies of any size and complexity.

These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.

An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.

Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.

Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.

In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.

From the October 2009 Issue of SCMagazine (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)

The Privacy Paradox Part I

2009-10-01T21:41:00.001-04:00

"You have zero privacy anyway. Get over it." - Former Sun Microsystems CEO, Scott McNealy.

With the increasing evidence of the lack of personal privacy that average Americans are experiencing daily, it might be interesting to try and uncover possible culprits and root causes. Technology? The Government? Global warming? Nope. Here's the answer: You. Read on.

Forget about the lack of privacy for a second. Instead, think about all you do to try and stay secure, and low profile enough so as not to make yourself a target for identity theft: you shred all of your sensitive documents, you only do business online with SSL enabled websites, you check your credit score annually, you read your credit card statements carefully. And yet, ironically, many of your daily habits work to undermine the anonymity and low visibility to seek to maintain. How? Simple. Throughout the week, in the on and off-line world, start counting up all of the places you leave an electronic fingerprint or footprint big enough that Hansel and Gretel would have no problem following it home, let alone someone more nefarious trying to track you.

Let’s start in the morning. You head to Starbucks for coffee and breakfast. You pay with your Starbucks card and a little crumb is left that you were there. (Literally and figuratively.)

As you head over the bridge, you maneuver towards the E-ZPass lane to expedite your crossing, while the camera reads your E-ZPass tag and debits your account for the $4 toll. At the same time, it records that you were crossing the bridge, again, that morning at around the same time every week day.

Once you’re at work, all day you’ll be logging into websites that you typically frequent that will greet you will the “Welcome Back!” message since you checked the “Remember Me” box on the sites and a ‘cookie’ was placed on your computer. Ostensibly created to enrich the surfing experience and save the users from logging in every time, the cookies tell the websites not only when you went to the site but what kind of things you like to do when you are there. You may have even given them a credit card to hold for you as a matter of convenience! (Yours or theirs?)

You head to the gym at lunch and swipe your bar-coded gym card to let L.A. Fitness know you exercise at least 3 days a week. After the gym, you stop at Chick-fil-A for a grilled chicken sandwich, which you pay for by credit card. MasterCard now knows you like waffle fries.

You stop on the way home from work at ShopRite for flowers for the wife and before you pay, you swipe your ShopRite Plus card at the register to save $1.50 on the bouquet, and, unknowingly, to help Shop Rite know to not only order another batch or orchids for its inventory, but what your shopping preferences are as well. Finally, you make a call to home to let them know you’re running late. But the GPS tracking in your iPhone already knows this.

And this is all in just one day…the pattern amplifies once you begin to travel further away from home and to other countries. Everything collected about so far was possible because you felt it a worthwhile voluntarily tradeoff of a bit of your privacy for the sake of convenience and efficiency; none of it was required or mandated by anyone.

Here’s the kicker. Think of the proverbial frog in the pot; you turn up the heat immediately and he jumps out. If you slowly turn up the heat incrementally, he boils to death without realizing it. So you think you are losing your privacy little by little every day? Guess what? You are. And it’s not because the government or advancements in technology is necessarily taking it away, it is because you are giving it away. Little by little. And you may not realize it. Just like the little oblivious frog.

Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention

2009-09-14T14:41:00.000-04:00

I just published a White Paper with an associate, Todd Ruback, entitled
"Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention".

The purpose of the paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.

Here is the link to the paper. Please let me know your comments or feedback.

http://tinyurl.com/n9d9lc

Al

Airport Security Part II

2009-06-28T15:09:00.000-04:00

As I have recently been in airports in India, Malaysia, and the Philippines, I am continuing my discussion form last month on the absurd, contrived and even artificial displays of security in airports around the world. Though I don’t want to minimize the real and effective measures of security that some of the airports I was in had in place (especially Kuala Lumpur), there still seemed to be a number of procedures and processes in place that were either ill-conceived or worse, arbitrary.

The best example of this scenario I can give you in the practice of some airports which require you to have your luggage screened for dangerous items right after you enter the airport. The curious thing about this procedure is that the luggage screening machine is right in the middle of the airport floor, and that in most cases you are given your luggage back to then take it to the ticketing counters to check it yourself. In India and Manila, for example, airport security staff (manually) put a very thin plastic security band around the middle of your checked luggage which states that this piece of luggage has now been ‘security screened.’ For the life of me, I cannot imagine why the authorities who concocted this process would not think that someone could easily put an explosive or some other device in their luggage after it went through the scanner and it was given back to them?!? Granted, there might be a secondary screening after the bag is checked at the ticket counter (which I doubt), but why make it so easy to bypass this first layer of security?

In the world of privacy and security, the most effective defenses are a series of layered security hurdles, be they electronic, physical or a series of both. The point is to set up a series of inline hurdles that a bad guy needs to clear before being able to cause damage to your organization. And those hurdles should be progressively more difficult as the more determined the bad guy is, the more work he should have to do to get to the prize. The initial barriers of defense are fine for the lazy, stupid or inadvertent criminal, but the last barriers should be very difficult to overcome (e.g. biometrics).

All this has a price. Contrived security measures make a mockery of the whole notion of having security in place at all. At best, it causes inconveniences and extra costs for both travelers and the airport system in general. At worst, it gives bad guys easy insights into exploiting the systems and also gives travelers a false sense of safety. And that is the most expensive price of all to pay.

Airport Security: Security through Absurdity?

2009-05-31T19:23:00.000-04:00

IN A PERFECT WORLD security and screening procedures at all airports around the world would be the same, and uniformly applied to all travelers. Airport security agencies could always apply stricter measures of interrogation or screening as appropriate based on a tangible or suspected suspicion of travelers who may pose a risk to the safety of the other fliers.

IN THE REAL WORLD of course, this does not always happen, if at all. I am a frequent and diverse traveler, visiting at least 28 countries so far. I think that I speak for many travelers when I say that the most frustrating aspect of the security screening process is not the ridiculously invasive and inane measures of having us remove most of our clothes. Nor is it the ‘random’ screening of grandmothers and 5 year old kids that make people inwardly think that Osama Bin Laden would laugh himself silly over these ‘protective’ measures if he could witness what he hath wrought. No, I think what infuriates the traveler most, at least the seasoned ones who have some point of reference, is the real weakness of the procedures that are in place: inconsistency.

Now, I grudgingly concede that screening should be done in this day and age. I would even finally quietly submit to the partial disrobing that occurs in the most public of places, if only it was the same routine each and every time. For example, sometimes I have to take my little bag of 3 ounce toiletries (the ‘humiliation baggie’ as I call it) out of my suitcase, and sometimes I forget and it goes thru the scanner with no comment whatsoever. Sometimes I have to take my stainless steel watch off; sometimes I don’t. Sometimes I have to remove my belt; sometimes I don’t. Does the watch or belt represent a risk or not? Just tell us to do it every time or let us board a plane with at least an ounce of dignity remaining. You used to be able to put your shoes and coat in the same bin at screening, now I notice they are making you put your shoes right on the belt as it goes thru the scanner. (Are terrorists still trying to get on planes with explosives in their shoes?!? Hasn’t that ship left the dock? God forbid some dumbass terrorist tries to smuggle explosives on the plane in his underwear….ponderous what that might mean at screening…)

In every U.S. airport I have to remove my laptop out my bag before it goes thru the scanner; in most foreign airports, I don’t. In the U.S., you have to have a picture that matches the name on the boarding pass; in India, for instance, they don’t even ask you for I.D. when flying within the country.

So why the inconsistencies? I can’t imagine the TSA in its infinite wisdom has created the process by design to foil or catch bad guys. If anything, the haphazard application of the rules will only catch the stupidest of terrorists. I realize that the poor TSA employees in the airport are only following orders from above and have to deal with the wrath of the beleaguered travelers. Again, the concern from most travelers is that the procedures are more knee-jerk reactions to recent past threats and not proactive measures that are risk-based. The TSA should take note from the screening measures in Israeli airports. The Israelis do not try and mete out politically correct measures to everyone (grandmothers and 5 years) like we do here; instead they focus their efforts on the most likely suspects and focus energies on the targets that are most likely to try and do them harm – generally Arab males between ages 18-35. In other words, they are consistent. Does it work? The Israelis have not had any airline terrorist incidents since 1973. What do you think?

Lost my data? Oh, thanks for telling me!

2009-05-21T21:54:00.000-04:00

IN A PERFECT WORLD if a company suffered a data or security breach or compromise, the company would have to notify only the customers it had in the state where the company was incorporated or was headquartered. Or, slightly more onerous, the company would notify all of its customers, but only according to the notification and disclosure law(s) (if any were in effect) within the state where the company was headquartered. The company would always disclose these infractions as it was in the best interest of both the company, by building good will with its customers, and good for the customers by making them aware of an untoward event that may make their financial life a bit less agreeable.

IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?

As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!

If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.

Privacy & Security as a competitive advantage

2009-04-16T23:00:00.000-04:00

Thanks to the great people at SC Magazine for publishing this piece of mine.
(http://www.scmagazineus.com/The-privacy-security-advantage/article/130470/)

Here is the longer unabriged version:

Using privacy & security as a competitive advantage

There is an old axiom in marketing circles that it costs significantly more money to acquire new customers than to retain and service your old ones. Since the business environment has slowed for now, showing additional ‘value added’ services rather than simply a lower price, for example, is critical for many companies higher up the value-chain that provide are providing a service. Clients should particularly value a competent privacy and security program implemented at its service providers since it will not ‘cost’ them anymore than they already pay for an expectation that their data/info is safe and secure.

Any company who has customers to be accountable to doing business during these days of dire financial times, should be required to look good and hard at what additional they can bring to its customers - besides the primary product or service it already provides. In addition to being a great marketing and selling opportunity, this introspective look for security and privacy ‘value’ can give companies a chance to leverage what they uncover as a differentiating factor – a competitive advantage.

A company with a solid, mature security and privacy program will be well advised to make this fact known to both its marketing and sales teams, and its customers. Privacy and security competence matters more than ever in this precarious financial environment. Rather than ‘distraction’ of making money hand over fist, the focus for many companies is now on keeping the existing customers satisfied, rather than only worrying about adding new ones to the fold.

How can an organization best position their privacy and security programs and oversight to be used as a competitive advantage? First, of course, you need to ensure that your privacy and security program is robust, well-tested, formally documented and meets or exceeds whatever legislation that your company is subject to or regulated against (Gramm-Leach-Bliley, HIPAA, etc). Aligning your programs against a standard like NIST or ISO 27001 is an excellent way to ensure that your programs minimally meet a design framework that is accepted and understood by your market or vertical.

It is critical to give your customers a point of reference about the validity of your programs so they easily translate the value into a currency they recognize. If your clients are banking institutions, for instance, it makes a lot of sense to develop your privacy and security programs around the Federal Financial Institutions Examination Council (FFIEC) standards since most banks, thrifts, savings & loan institutions and credit unions are regulated by entities that make up the FFIEC (OCC, OTS, FRB, FDIC, & NCUA). Doing this will make it easier for your banking clients to get their auditors or regulating agencies comfortable with using your firm as a service provider. Helping them successful navigate audits makes you a valuable partner. Your customers will really begin to derive value from well-designed and real-world tested programs when they realize that they can lessen their due diligence and oversight of your firm due to the extensive testing and thoroughness of your own internal activities.

Companies doing business in the US, especially in the financial and health care sectors, are already exposed to a litany of legislation, mandates and guidance that they are regulated and tested against quarter after quarter, year after year. Companies can realistically expect such federal and state legislation to only stricter, more onerous and more invasive. Most companies already either perform or have a 3rd party perform some kind of internal and/or external assessment. These activities could be everything from simple perimeter vulnerability scans to intrusive penetration tests on web-facing applications. If you have having these done, you should leverage the results (properly scrubbed of any confidential or proprietary information like IP addresses, of course) and provide your clients Executive summary-type versions of the reports to show that not only are you constantly evaluating the viability of your network, but you are having an independent third-party doing it for you. You should also take advantage of any other internal and external audits, assessments and oversights that you can reasonably share with external parties by crafting these documents, or summaries of them as a consumable for external parties. It has been my experience that clients, especially their security teams, really appreciate this effort.

Any attestation, especially an independent one, that your controls are in place and functioning properly gives clients and sense of comfort, and may even relieve them of either significantly overseeing you as a service provider – saving them time and money, or may at least minimize the intrusions of each and every client and their auditors tramping through your shop.

Another innovative way to deliver a competitive advantage today is in the realm of vendor management. This discipline is quickly becoming an increasingly high profile topic of discussion and interest between clients, customers and their service providers. The onus is on you to demonstrate oversight of your 3rd party service provider(s); you need to show especially robust oversight controls if the 3rd parties are perceived to be of higher risk, such as an overseas provider. If you are outsourcing some of the work your clients have turned over to you, those clients may ask “Why am I outsourcing to you if you in turn outsource?” Here is where you point out your management and oversight of the vendors and how you assume full accountability for the controls in place, as well as the robustness of those controls. This is where you also have the “value add” conversation and demonstrate why your clients placed their trust in you in the first place; it is a key selling point for your company to use to distinguish itself from competitors. This will resonate especially soundly with any clients that provide you access to or control over their sensitive customer data, proprietary or intellectual property.

Lastly, a final easy way to show privacy and security competence over competitors is in the area of oversight of employees and their access controls. This long-neglected, decidedly un-sexy discipline is now, like vendor management, starting to get the attention it deserves. Most studies of risk show that internal employees who already have access to the company network pose the biggest threat – the malicious insider. One of the best ways to show oversight and mitigation of this risk is with regular entitlement reviews. Nothing may prevent a trusted employee from one day going ‘rogue’ of course, but habitual review of appropriate access will minimize damage from people who no longer have a ‘need to know’ access to the critical and sensitive applications and data that may represent the lifeblood of your company.

Still need justification for your programs? The benefits of a competent privacy and security program are myriad and are more visible and tangible than ever. Don’t just analyze what it costs to administer your programs (FTE’s, software, etc) or even what the ROI may be (if you can even calculate it). The hard and soft costs associated with damage to a brand or reputation due to a breach or compromise maybe incalculable, and may make it very difficult or impossible to woo back former clients who left due to the breach, or worse, woo new clients into the fold. How’s that for justification?

Identity Theft Tops FTC Complaint List.... Again

2009-03-04T08:36:00.000-05:00

IN A PERFECT WORLD when someone attempted to use data that is not theirs, the hurdles and roadblocks to successful authentication would prevent the illegal use of that data. It would be like finding a key, but not having the matching lock to use it with - what good would having the key do you then?

The FTC recently noted that identity theft was the biggest consumer complaint again for data collected in 2007...no surprise there. What was interesting in the data was that although credit card fraud was top of the list in terms of percentages (23%) - as well as the usual suspects (loan fraud) - the surprising info for me was the significance of other fraud: phone or utilities fraud (18%), employment fraud (14%) and government documents / benefits fraud (11%).

IN THE REAL WORLD this data tells me that fraudsters are either setting themselves up for more sophisticated identity theft schemes by further compromising a stolen person's identity, or, ordinary people who do not have some basic resources and coverages are misrepresenting their identity to get a job, a health claim paid, or to get cable or phone service. Some of it is due to outright fraud, obviously, but I suspect a lot of it is due to the fact that some people either have no credit or lousy credit and cannot get some service or job on the merit of their own credit history and have taken the low road to use someone else's good credit history. Either way, it still is a warning signal to us that our personal data is still subject to compromise and misuse in so many ways that may be not as evident as receiving your monthly Visa card bill showing a new flat panel TV just purchased from Best Buy (that you didn't buy).

Studies of identity theft show that the perpetrators of this crime are typically people who are known to the victim (friend, family, tenant), as well as by people who have physical access to the data. Rare is the cliched situation where the hacker, wearing a skimask and 5-day stubble, intercepts your data via an online transaction. As security guru Bruce Schneier has said, making the data hard to get is not as practical an approach as making stolen data hard to use.

What do you think?

How safe is your financial data? Do you ask?

2009-02-23T08:54:00.000-05:00

IN A PERFECT WORLD when you hand over your sensitive data to a company or person that you are enacting a financial transaction with, you are almost unconsciously believing that the information will be secured in every way. How often do you question the recipient of your data on how it will be protected?! We are getting more privacy savvy as consumers but when someone at a doctor's office or big box store asks for our social security number to complete a transaction, people generally deliver the number. When and if the company that has your data either moves locations or worse, goes out of business, you don't ever think about what they are doing with your data. You just think that is it securely destroyed and that's the end of it.

IN THE REAL WORLD what usually happens is that your financial information when received is simply put in a computer, or a hardcopy file. Sometimes it is secured, most times it is not - especially if the company is a small one. The article from the New York Times below got me thinking about some war stories that I have heard being in the Mortgage industry. I remember someone recently told me that a small mortgage broker in their town suddenly went out of business one day and all they did with their piles of mortgage applications was to put them in boxes and then out on the curb to be picked up by the trash men that week. It was a particularly blustery week in that town and 1003 mortgage applications (the crown jewels of your financial life) were blowing all down the street for anyone to see or pickup. Manna from heaven for identity theives or n'er do-wells...

Next time you are asked to hand over data you consider personal or sensitive, ask the recipient "Before I give your this info, how do you protect and secure it?" If they look at you like your speaking Ukrainian (and you are not in Kiev), you should consider taking your business elsewhere. There has to be consequences for such negligence.

How Safe is Your Financial Data?
http://www.nytimes.com/2009/02/15/realestate/15mort.html?_r=1&scp=1&sq=how%20safe%20is%20your%20financial%20data?&st=cse