I want to continue my discussion from last month one of the biggest threats to your right of privacy - you.
If you have a Facebook account you probably get 10-15 requests a week from your Friends to answer or play games or contests that require some personal information to be input or revealed - the most famous and pervasive application was the "25 Things You Don't Know About Me" which took the Facebook community by storm over the spring and summer.
Notwithstanding that fact that you get to know random, irrelevant and mostly inane 'facts' about your friends and friends of friends, what is more insdious is what you reveal to them and the world at large. Since most cases of identity theft are commmited by people that the victim knows well or has some relationship with, it is not improbable that you may have 'friended' that person on Facebook as well. Now that they know what your first dog's name was, or favorite grade school teacher, or that you eat peas with a fork, that insight allows them to glean little bits of info about you that helps build a case of identity theft. Think about all of the websites that ask either passwords or security questions for credentials. You supply very similar information as the answers, and in many questions also provide your own questions - some which mirror the ones asked by that Facebook application iself. Perfect fodder for ID thieves....and most valuable because it comes right from the source.
So think before you surrender little pieces of your personal life for what you may think to be only harmless and transitory amusement (and for free!). It may have some very long-lasting and unwanted repurcussions.
Sunday, November 15, 2009
Saturday, October 10, 2009
An effective incident response process
Thanks to the great people at SC Magazine for publishing this piece of mine.
Security and privacy incidents pose real risks to companies of any size and complexity.
These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.
An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.
Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.
Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.
In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.
From the October 2009 Issue of SCMagazine (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)
Security and privacy incidents pose real risks to companies of any size and complexity.
These types of unwelcome events do not discriminate. The steps your company takes to deal with the response and remediation, however, will allow you to differentiate yourself from other companies who suffer the same fate.
An excellent first step in the incident response process is to simply define and understand what the terms violation, incident or breach mean in the context of your industry's lexicon. The terms may already be defined by regulations or laws that govern your industry or company. If so, you should align your understanding with these already-defined measures since you will probably be legally held to them in the case of an incident. It also will be beneficial to try and articulate the possible scenarios that are likely to occur in your line of work. While you cannot possibly define every likely incident, you should be able to imagine a short list of the ones within the realm of possibility.
Second, define, document and publish procedures that are to be followed in the event of an incident. However, the procedure should include steps to take in reaction to the incident that define who does what and when. The procedures don't necessarily need to be overly detailed or verbose, but they should avoid being subjective or too generic so as not to invite indecision or confusion during a time when you least want it. Having a single procedural guide on which to rely during incidents fosters accountability and follow-through.
Once a central point of contact is appointed, then a response team can be created. Depending on your company, this may be an army of one or a group of 25. If you don't have the luxury of dedicated resources, then a virtual team can be named that comes together in a time of crisis, and then just as quickly dissolves once the storm has passed. This process allows a company to harness the particular expertise of its employees, while still allowing them to do their day jobs.
In this age of free-flowing information, your customers and clients do not realistically expect you to never have a security or privacy breach. No rational person expects all of their data, in all its iterations, in all locations, to forever remain safe and secure. What those customers and clients do expect of you is to have a process in place to reasonably prevent the incident from happening and, when it does happen, have a plan in place to deal with the consequences. Part of those consequences involve notice to clients and customers of what happened, details on how you will rectify the current situation and, finally, plans to ensure that this same event does not happen in the future.
From the October 2009 Issue of SCMagazine (http://www.scmagazineus.com/An-effective-incident-response-process/article/151825/)
Thursday, October 1, 2009
The Privacy Paradox Part I
"You have zero privacy anyway. Get over it." - Former Sun Microsystems CEO, Scott McNealy.
With the increasing evidence of the lack of personal privacy that average Americans are experiencing daily, it might be interesting to try and uncover possible culprits and root causes. Technology? The Government? Global warming? Nope. Here's the answer: You. Read on.
Forget about the lack of privacy for a second. Instead, think about all you do to try and stay secure, and low profile enough so as not to make yourself a target for identity theft: you shred all of your sensitive documents, you only do business online with SSL enabled websites, you check your credit score annually, you read your credit card statements carefully. And yet, ironically, many of your daily habits work to undermine the anonymity and low visibility to seek to maintain. How? Simple. Throughout the week, in the on and off-line world, start counting up all of the places you leave an electronic fingerprint or footprint big enough that Hansel and Gretel would have no problem following it home, let alone someone more nefarious trying to track you.
Let’s start in the morning. You head to Starbucks for coffee and breakfast. You pay with your Starbucks card and a little crumb is left that you were there. (Literally and figuratively.)
As you head over the bridge, you maneuver towards the E-ZPass lane to expedite your crossing, while the camera reads your E-ZPass tag and debits your account for the $4 toll. At the same time, it records that you were crossing the bridge, again, that morning at around the same time every week day.
Once you’re at work, all day you’ll be logging into websites that you typically frequent that will greet you will the “Welcome Back!” message since you checked the “Remember Me” box on the sites and a ‘cookie’ was placed on your computer. Ostensibly created to enrich the surfing experience and save the users from logging in every time, the cookies tell the websites not only when you went to the site but what kind of things you like to do when you are there. You may have even given them a credit card to hold for you as a matter of convenience! (Yours or theirs?)
You head to the gym at lunch and swipe your bar-coded gym card to let L.A. Fitness know you exercise at least 3 days a week. After the gym, you stop at Chick-fil-A for a grilled chicken sandwich, which you pay for by credit card. MasterCard now knows you like waffle fries.
You stop on the way home from work at ShopRite for flowers for the wife and before you pay, you swipe your ShopRite Plus card at the register to save $1.50 on the bouquet, and, unknowingly, to help Shop Rite know to not only order another batch or orchids for its inventory, but what your shopping preferences are as well. Finally, you make a call to home to let them know you’re running late. But the GPS tracking in your iPhone already knows this.
And this is all in just one day…the pattern amplifies once you begin to travel further away from home and to other countries. Everything collected about so far was possible because you felt it a worthwhile voluntarily tradeoff of a bit of your privacy for the sake of convenience and efficiency; none of it was required or mandated by anyone.
Here’s the kicker. Think of the proverbial frog in the pot; you turn up the heat immediately and he jumps out. If you slowly turn up the heat incrementally, he boils to death without realizing it. So you think you are losing your privacy little by little every day? Guess what? You are. And it’s not because the government or advancements in technology is necessarily taking it away, it is because you are giving it away. Little by little. And you may not realize it. Just like the little oblivious frog.
Monday, September 14, 2009
Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention
I just published a White Paper with an associate, Todd Ruback, entitled
"Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention".
The purpose of the paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Here is the link to the paper. Please let me know your comments or feedback.
http://tinyurl.com/n9d9lc
Al
"Data Breach: Overview of Trends in Litigation and an Approach to Practical Prevention".
The purpose of the paper is to review the topic of data breach from two perspectives: first, an overview of the trends in data breach litigation, and second, a more granular perspective of practical data protection processes that may serve as a guidepost to help reduce the risk of likelihood of data breach. Taken together the reader will understand why a measured approach to data protection can reduce the risk of financial liability from a data breach lawsuit.
Here is the link to the paper. Please let me know your comments or feedback.
http://tinyurl.com/n9d9lc
Al
Sunday, June 28, 2009
Airport Security Part II
As I have recently been in airports in India, Malaysia, and the Philippines, I am continuing my discussion form last month on the absurd, contrived and even artificial displays of security in airports around the world. Though I don’t want to minimize the real and effective measures of security that some of the airports I was in had in place (especially Kuala Lumpur), there still seemed to be a number of procedures and processes in place that were either ill-conceived or worse, arbitrary.
The best example of this scenario I can give you in the practice of some airports which require you to have your luggage screened for dangerous items right after you enter the airport. The curious thing about this procedure is that the luggage screening machine is right in the middle of the airport floor, and that in most cases you are given your luggage back to then take it to the ticketing counters to check it yourself. In India and Manila, for example, airport security staff (manually) put a very thin plastic security band around the middle of your checked luggage which states that this piece of luggage has now been ‘security screened.’ For the life of me, I cannot imagine why the authorities who concocted this process would not think that someone could easily put an explosive or some other device in their luggage after it went through the scanner and it was given back to them?!? Granted, there might be a secondary screening after the bag is checked at the ticket counter (which I doubt), but why make it so easy to bypass this first layer of security?
In the world of privacy and security, the most effective defenses are a series of layered security hurdles, be they electronic, physical or a series of both. The point is to set up a series of inline hurdles that a bad guy needs to clear before being able to cause damage to your organization. And those hurdles should be progressively more difficult as the more determined the bad guy is, the more work he should have to do to get to the prize. The initial barriers of defense are fine for the lazy, stupid or inadvertent criminal, but the last barriers should be very difficult to overcome (e.g. biometrics).
All this has a price. Contrived security measures make a mockery of the whole notion of having security in place at all. At best, it causes inconveniences and extra costs for both travelers and the airport system in general. At worst, it gives bad guys easy insights into exploiting the systems and also gives travelers a false sense of safety. And that is the most expensive price of all to pay.
The best example of this scenario I can give you in the practice of some airports which require you to have your luggage screened for dangerous items right after you enter the airport. The curious thing about this procedure is that the luggage screening machine is right in the middle of the airport floor, and that in most cases you are given your luggage back to then take it to the ticketing counters to check it yourself. In India and Manila, for example, airport security staff (manually) put a very thin plastic security band around the middle of your checked luggage which states that this piece of luggage has now been ‘security screened.’ For the life of me, I cannot imagine why the authorities who concocted this process would not think that someone could easily put an explosive or some other device in their luggage after it went through the scanner and it was given back to them?!? Granted, there might be a secondary screening after the bag is checked at the ticket counter (which I doubt), but why make it so easy to bypass this first layer of security?
In the world of privacy and security, the most effective defenses are a series of layered security hurdles, be they electronic, physical or a series of both. The point is to set up a series of inline hurdles that a bad guy needs to clear before being able to cause damage to your organization. And those hurdles should be progressively more difficult as the more determined the bad guy is, the more work he should have to do to get to the prize. The initial barriers of defense are fine for the lazy, stupid or inadvertent criminal, but the last barriers should be very difficult to overcome (e.g. biometrics).
All this has a price. Contrived security measures make a mockery of the whole notion of having security in place at all. At best, it causes inconveniences and extra costs for both travelers and the airport system in general. At worst, it gives bad guys easy insights into exploiting the systems and also gives travelers a false sense of safety. And that is the most expensive price of all to pay.
Sunday, May 31, 2009
Airport Security: Security through Absurdity?
IN A PERFECT WORLD security and screening procedures at all airports around the world would be the same, and uniformly applied to all travelers. Airport security agencies could always apply stricter measures of interrogation or screening as appropriate based on a tangible or suspected suspicion of travelers who may pose a risk to the safety of the other fliers.
IN THE REAL WORLD of course, this does not always happen, if at all. I am a frequent and diverse traveler, visiting at least 28 countries so far. I think that I speak for many travelers when I say that the most frustrating aspect of the security screening process is not the ridiculously invasive and inane measures of having us remove most of our clothes. Nor is it the ‘random’ screening of grandmothers and 5 year old kids that make people inwardly think that Osama Bin Laden would laugh himself silly over these ‘protective’ measures if he could witness what he hath wrought. No, I think what infuriates the traveler most, at least the seasoned ones who have some point of reference, is the real weakness of the procedures that are in place: inconsistency.
Now, I grudgingly concede that screening should be done in this day and age. I would even finally quietly submit to the partial disrobing that occurs in the most public of places, if only it was the same routine each and every time. For example, sometimes I have to take my little bag of 3 ounce toiletries (the ‘humiliation baggie’ as I call it) out of my suitcase, and sometimes I forget and it goes thru the scanner with no comment whatsoever. Sometimes I have to take my stainless steel watch off; sometimes I don’t. Sometimes I have to remove my belt; sometimes I don’t. Does the watch or belt represent a risk or not? Just tell us to do it every time or let us board a plane with at least an ounce of dignity remaining. You used to be able to put your shoes and coat in the same bin at screening, now I notice they are making you put your shoes right on the belt as it goes thru the scanner. (Are terrorists still trying to get on planes with explosives in their shoes?!? Hasn’t that ship left the dock? God forbid some dumbass terrorist tries to smuggle explosives on the plane in his underwear….ponderous what that might mean at screening…)
In every U.S. airport I have to remove my laptop out my bag before it goes thru the scanner; in most foreign airports, I don’t. In the U.S., you have to have a picture that matches the name on the boarding pass; in India, for instance, they don’t even ask you for I.D. when flying within the country.
So why the inconsistencies? I can’t imagine the TSA in its infinite wisdom has created the process by design to foil or catch bad guys. If anything, the haphazard application of the rules will only catch the stupidest of terrorists. I realize that the poor TSA employees in the airport are only following orders from above and have to deal with the wrath of the beleaguered travelers. Again, the concern from most travelers is that the procedures are more knee-jerk reactions to recent past threats and not proactive measures that are risk-based. The TSA should take note from the screening measures in Israeli airports. The Israelis do not try and mete out politically correct measures to everyone (grandmothers and 5 years) like we do here; instead they focus their efforts on the most likely suspects and focus energies on the targets that are most likely to try and do them harm – generally Arab males between ages 18-35. In other words, they are consistent. Does it work? The Israelis have not had any airline terrorist incidents since 1973. What do you think?
IN THE REAL WORLD of course, this does not always happen, if at all. I am a frequent and diverse traveler, visiting at least 28 countries so far. I think that I speak for many travelers when I say that the most frustrating aspect of the security screening process is not the ridiculously invasive and inane measures of having us remove most of our clothes. Nor is it the ‘random’ screening of grandmothers and 5 year old kids that make people inwardly think that Osama Bin Laden would laugh himself silly over these ‘protective’ measures if he could witness what he hath wrought. No, I think what infuriates the traveler most, at least the seasoned ones who have some point of reference, is the real weakness of the procedures that are in place: inconsistency.
Now, I grudgingly concede that screening should be done in this day and age. I would even finally quietly submit to the partial disrobing that occurs in the most public of places, if only it was the same routine each and every time. For example, sometimes I have to take my little bag of 3 ounce toiletries (the ‘humiliation baggie’ as I call it) out of my suitcase, and sometimes I forget and it goes thru the scanner with no comment whatsoever. Sometimes I have to take my stainless steel watch off; sometimes I don’t. Sometimes I have to remove my belt; sometimes I don’t. Does the watch or belt represent a risk or not? Just tell us to do it every time or let us board a plane with at least an ounce of dignity remaining. You used to be able to put your shoes and coat in the same bin at screening, now I notice they are making you put your shoes right on the belt as it goes thru the scanner. (Are terrorists still trying to get on planes with explosives in their shoes?!? Hasn’t that ship left the dock? God forbid some dumbass terrorist tries to smuggle explosives on the plane in his underwear….ponderous what that might mean at screening…)
In every U.S. airport I have to remove my laptop out my bag before it goes thru the scanner; in most foreign airports, I don’t. In the U.S., you have to have a picture that matches the name on the boarding pass; in India, for instance, they don’t even ask you for I.D. when flying within the country.
So why the inconsistencies? I can’t imagine the TSA in its infinite wisdom has created the process by design to foil or catch bad guys. If anything, the haphazard application of the rules will only catch the stupidest of terrorists. I realize that the poor TSA employees in the airport are only following orders from above and have to deal with the wrath of the beleaguered travelers. Again, the concern from most travelers is that the procedures are more knee-jerk reactions to recent past threats and not proactive measures that are risk-based. The TSA should take note from the screening measures in Israeli airports. The Israelis do not try and mete out politically correct measures to everyone (grandmothers and 5 years) like we do here; instead they focus their efforts on the most likely suspects and focus energies on the targets that are most likely to try and do them harm – generally Arab males between ages 18-35. In other words, they are consistent. Does it work? The Israelis have not had any airline terrorist incidents since 1973. What do you think?
Thursday, May 21, 2009
Lost my data? Oh, thanks for telling me!
IN A PERFECT WORLD if a company suffered a data or security breach or compromise, the company would have to notify only the customers it had in the state where the company was incorporated or was headquartered. Or, slightly more onerous, the company would notify all of its customers, but only according to the notification and disclosure law(s) (if any were in effect) within the state where the company was headquartered. The company would always disclose these infractions as it was in the best interest of both the company, by building good will with its customers, and good for the customers by making them aware of an untoward event that may make their financial life a bit less agreeable.
IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?
As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!
If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.
IN THE REAL WORLD of course this does not always happen if at all. In fact, as recently as 2003, before California SB 1386 (California Security Breach Information Act – the first of its kind) the facto procedures that companies followed if and when a breach occurred were generally up to the discretion of company management. And when did you ever remember receiving the kind of notification letters that you probably receive now a few times a year when a company either loses a laptop, backup tape, server, box of files, etc.?
As of this writing, there are 45 unique state breach notification laws that companies doing business in any more than one state must contend with. As my business associate Todd Ruback, a Privacy/Data Breach and Internet Attorney/CIPP at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer, privacy/data breach and technology attorney at DiFrancesco, Bateman, Coley, Yospin, Kunzman, Davis & Lehrer likes to remind me, there are still companies – and not just small ones – that mistakenly believe that you only have to company with the breach laws of your state, regardless of where your customer base resides. Not true!
If it wasn’t for these laws, most breaches, compromises, or data lost by companies would go unreported. Companies were always frightened that disclosing this information would cause customers to lose faith and confidence in the company’s ability to protect the sensitive information with which it was entrusted. And they had good reason to be afraid. Historically, consumers would abandon any company that showed a blatant disregard for the protection of its customer’s data. Today, probably due to the overall plunge in customer service quality, and the public’s general acceptance of this dismal state of affairs, breach notices received in the mail today are treated a lot less interest than receipt of the new Victoria’s Secret catalog. And that is a shame because as much you would like it to, a sexy new swim suit won’t change your life for the better. However, one of these notices telling you that your personal and sensitive information has been lost and is now in the ether somewhere, may just change your life for the worse.
Subscribe to:
Posts (Atom)