http://odeo.com/channels/40337-The-Security-Catalyst MichaelSantarcangelo no changing the way people protect information changing the way people protect information changing the way people protect information en 40 Thu, 05 Nov 2009 03:00:11 -0800 Thu, 05 Nov 2009 03:00:11 -0800 Technology http://odeo.com/episodes/25404320-FTC-Says-Bloggers-Must-Disclose-Freebies by Aaron Titus The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009. The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency. Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid b... by Aaron Titus The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009. The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency. Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid. But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed. Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion. The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say. In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent. Tips for Advertisers: Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.” Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes. Tips for Advertising Agencies (especially Social Media): Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability. Tell Your Bloggers: See above. Watch Your Bloggers: See above. Tips for Bloggers: Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality). Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion. It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$” Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article. by Aaron Titus The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009. The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency. Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid. But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed. Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion. The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say. In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent. Tips for Advertisers: Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.” Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes. Tips for Advertising Agencies (especially Social Media): Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability. Tell Your Bloggers: See above. Watch Your Bloggers: See above. Tips for Bloggers: Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality). Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion. It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$” Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article. tag:odeo.com,2009-11-05,25404320 Thu, 05 Nov 2009 03:00:11 -0800 no The Security Catalyst twitter, communication, social media, policy, Blog, risk, compliance, Security Catalyst Contributors, Aaron Titus, disclaimers http://odeo.com/episodes/25387838-Into-the-Breach-%E2%80%93-Audio-Series-%E2%80%93-Chapter-4-The-Solution-Manage-People-Information-and-Risk Episode 5: Into the Breach: Chapter 4 (The Solution: Manage People, Information and Risk) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 4) Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. W... Episode 5: Into the Breach: Chapter 4 (The Solution: Manage People, Information and Risk) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 4) Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. While looking at each, Michael makes suggestions on how to overcome them, then introduces the concept of managing risk on the efficient frontier. Go deeper Into the Breach with Michael Santarcangelo in November with EMC In November, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains why the current practices are essentially “risk reaction” and explains how he helps companies get results that harness the power of their people to inform and improve the risk management process. This also sets the stage for the next part of the book, as Michael explains more about how to leverage his research and experience to get real results and prepare for a successful 2010. If you have a question about how to leverage the power of Into the Breach for your organization, please contact Michael to get the insights and guidance for success! Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the November session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk! Episode 5: Into the Breach: Chapter 4 (The Solution: Manage People, Information and Risk) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 4) Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. While looking at each, Michael makes suggestions on how to overcome them, then introduces the concept of managing risk on the efficient frontier. Go deeper Into the Breach with Michael Santarcangelo in November with EMC In November, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains why the current practices are essentially “risk reaction” and explains how he helps companies get results that harness the power of their people to inform and improve the risk management process. This also sets the stage for the next part of the book, as Michael explains more about how to leverage his research and experience to get real results and prepare for a successful 2010. If you have a question about how to leverage the power of Into the Breach for your organization, please contact Michael to get the insights and guidance for success! Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the November session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk! tag:odeo.com,2009-11-03,25387838 Tue, 03 Nov 2009 03:36:26 -0800 no The Security Catalyst podcast, Blog, News and Events http://odeo.com/episodes/25245582-Into-the-Breach-%E2%80%93-Audio-Series-%E2%80%93-Chapter-3-Breaking-the-Security-Diet Episode 4: Into the Breach: Chapter 3 (Breaking the Security Diet) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 3) Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet... Episode 4: Into the Breach: Chapter 3 (Breaking the Security Diet) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 3) Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information. Go deeper Into the Breach with Michael Santarcangelo in October with EMC In October, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte) Episode 4: Into the Breach: Chapter 3 (Breaking the Security Diet) Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 3) Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information. Go deeper Into the Breach with Michael Santarcangelo in October with EMC In October, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte) tag:odeo.com,2009-10-06,25245582 Tue, 06 Oct 2009 19:15:17 -0700 no The Security Catalyst podcast, Blog, Catalyst, encryption, audit, compliance, regulation, assessment, into the breach, santarcangelo, News and Events, keynote speaker http://odeo.com/episodes/25055869-Into-the-Breach-%E2%80%93-Audio-Series-%E2%80%93-Chapter-2-People-Just-Want-to-Do-Their-Jobs Episode 3: Into the Breach: Chapter 2 (People Just Want to Do Their Jobs) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 2) Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it... Episode 3: Into the Breach: Chapter 2 (People Just Want to Do Their Jobs) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 2) Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere. Go deeper Into the Breach with Michael Santarcangelo on September 16th On September 16th, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (dates now in Alaska, NYC and working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte) Episode 3: Into the Breach: Chapter 2 (People Just Want to Do Their Jobs) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 2) Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere. Go deeper Into the Breach with Michael Santarcangelo on September 16th On September 16th, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (dates now in Alaska, NYC and working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte) tag:odeo.com,2009-09-01,25055869 Tue, 01 Sep 2009 06:34:53 -0700 no The Security Catalyst podcast, Blog, awareness, Catalyst, compliance, EMC, into the breach, santarcangelo, News and Events http://odeo.com/episodes/24911383-Into-the-Breach-%E2%80%93-Audio-Series-%E2%80%93-Chapter-1-Breach-A-Human-Problem Episode 2: Into the Breach: Chapter 1 (Breach: A Human Problem) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 1) Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all informat... Episode 2: Into the Breach: Chapter 1 (Breach: A Human Problem) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 1) Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected. A personal invitation to go deeper Into the Breach with Michael Santarcangelo In two weeks, join Michael Santarcangelo for an insider’s perspective and live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Did you miss the in-depth discussion with Michael about the Introduction? If so, go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded session and get reminded to join in for the August session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV Episode 2: Into the Breach: Chapter 1 (Breach: A Human Problem) Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total). What you’ll find in this episode (Chapter 1) Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected. A personal invitation to go deeper Into the Breach with Michael Santarcangelo In two weeks, join Michael Santarcangelo for an insider’s perspective and live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will: Reveal the ideas and concepts that may have been pared from the chapter you just listened to Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results Did you miss the in-depth discussion with Michael about the Introduction? If so, go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded session and get reminded to join in for the August session. You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV tag:odeo.com,2009-08-04,24911383 Tue, 04 Aug 2009 17:54:36 -0700 no The Security Catalyst podcast, Blog, Catalyst, breach, Information Protection, into the breach, Security Awareness, News and Events http://odeo.com/episodes/24749020-Into-the-Breach-%E2%80%93-Audio-Series-%E2%80%93-The-Introduction Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total). What you’ll find in this segment The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded. A Private Invitation to Engage with Mic... Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total). What you’ll find in this segment The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded. A Private Invitation to Engage with Michael Santarcangelo Build on your experience. Sign-up for exclusive invitation-only conversations [click on the link to sign up now for your invitation] with Michael Santarcangelo, hosted by EMC. Join Michael for a live conversation two weeks after each chapter is released where he will: Reveal the ideas and concepts that got cut from each chapter Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results The discussion centered around the concepts revealed in the Introduction is scheduled for Thursday, July 16th. Visit http://www.configuresoft.com/securitycatalyst.aspx for more details and to get your invite! You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total). What you’ll find in this segment The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded. A Private Invitation to Engage with Michael Santarcangelo Build on your experience. Sign-up for exclusive invitation-only conversations [click on the link to sign up now for your invitation] with Michael Santarcangelo, hosted by EMC. Join Michael for a live conversation two weeks after each chapter is released where he will: Reveal the ideas and concepts that got cut from each chapter Expand upon or update the elements in the chapter you just listened to Answer questions in a candid and direct style – focused on delivering insights that lead to results The discussion centered around the concepts revealed in the Introduction is scheduled for Thursday, July 16th. Visit http://www.configuresoft.com/securitycatalyst.aspx for more details and to get your invite! You want more, so after listening… After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by Engaging (not following) Michael on twitter (http://twitter.com/catalyst) Subscribing to The Security Catalyst podcast & blog to get more insights Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV tag:odeo.com,2009-07-05,24749020 Sun, 05 Jul 2009 11:43:04 -0700 no The Security Catalyst podcast, twitter, Blog, EMC, into the breach, News and Events, audio series, configuresoft http://odeo.com/episodes/24434859-How-To-Complete-A-Task by Dennis Kuntz This post was inspired, with tongue firmly in cheek, by several events/items/folks: a sleepless night (of which I have all too many); a Twitter conversation with über-catalyst Michael Santarcangelo; one of the greatest books ever written, Gödel, Escher, Bach: An Eternal Golden Braid , by Douglas Hofstadter (specifically the Little Harmonic Labyrinth - reading it will give you context -  but also the book in general); and the concept of a Wiki. W.I.K.I. Entry - How To Complete A Task Henry is going to “complete” a single, specific, discrete task. Completion, however, is loosely defined here as either meeting the task’s end, or merely making any progress on the specific task in question. He is accompanied by his friend Bob. Henry: Bob, I feel so energized - I’m focused and enthused! I have no meetings. The office is quiet. Not only that, but I have a very specific task that I’d like to work on. I don’t even have to get it done (altho... by Dennis Kuntz This post was inspired, with tongue firmly in cheek, by several events/items/folks: a sleepless night (of which I have all too many); a Twitter conversation with über-catalyst Michael Santarcangelo; one of the greatest books ever written, Gödel, Escher, Bach: An Eternal Golden Braid , by Douglas Hofstadter (specifically the Little Harmonic Labyrinth - reading it will give you context -  but also the book in general); and the concept of a Wiki. W.I.K.I. Entry - How To Complete A Task Henry is going to “complete” a single, specific, discrete task. Completion, however, is loosely defined here as either meeting the task’s end, or merely making any progress on the specific task in question. He is accompanied by his friend Bob. Henry: Bob, I feel so energized - I’m focused and enthused! I have no meetings. The office is quiet. Not only that, but I have a very specific task that I’d like to work on. I don’t even have to get it done (although that would be great) - I just have to start it and make any kind of progress on it and the day will be a success! What could possibly go wrong?! Bob: Henry, I really think you shouldn’t say things like that. Henry: Like what? That I’m excited? What’s wro- Bob: No, I mean things like, “What could possibly go wrong?” It just gives me a bad feeling. Henry: Um, ok. Well anyway, today I’m going to begin to step through the awesome “DFRWS Challenge Walk Through” from the winning submission to the challenge by Michael I. Cohen, David J. Collett, and Aaron Walters. That’s it! Nothing else needs to be done! I’ve downloaded the challenge files. Now, all I have to do is install pyflag and I’m ready to go! Bob: Oh noez - this is what I was afraid of…. Henry: No problem. I already have the latest version of Ubuntu (Intrepid Ibex). I’ll just do a quick apt-get install and…[types "sudo apt-get install pyflag". The computer responds with "Couldn't find package 'pyflag'"]. Hrmm, that’s interesting. It couldn’t find the package. That’s ok, I’ll just consult the W.I.K.I. Bob: I thought it was “wiki” - as in a Hawaiian word meaning “fast”? Henry: Well that’s one thing to consult. I prefer the W.I.K.I - it stands for W.I.K.I Increases Knowledge Incrementally. Bob: Hrmm. Incremental things can lead very subtly to the infinite - especially when the increments - or the acronyms - involved are recursive. Recall Zeno’s paradox…. Henry: You’re a worrywart. [Opens the W.I.K.I. entry for 'apt-get "Couldn't find package" error' and starts reading] Henry: Hey Bob, when one gets this error, they should first consult their list of repositories to make sure they have any/all of the appropriate ones. Bob: Sounds like a good idea Henry! Henry: Interesting. The W.I.K.I. entry has characters in it named after us, and the entry is in dialogue form. Probably to give a good example of a real person performing the tasks! Bob: That is indeed interesting. Read on! Henry: Ok, the repositories are fine. I guess I’ll consult the W.I.K.I. to see what to do next. Bob: W.I.K.I’s are great! Maybe that last ‘I’ should stand for “Infinite” because they’re so vastly useful for when things go wrong! Bob: Hey - they’re looking at a W.I.K.I. too. So I guess that makes it a meta-W.I.K.I.! Henry: Actually, a meta-W.I.K.I. should be a W.I.K.I. about W.I.K.I.’s. I read a blog post once about an author who asked for indulgence in certain definitions for the sake of his post. Bob: What’s a blog post? Henry: Never mind. Let’s continue reading…. [Henry reads the entry on what to do when apt-get repositories entries are not available for a given app] Henry: I need to download and compile the source for this app. That sounds easy enough! Bob: Something tells me it may not be…. Henry: Ok, here it goes! [Henry proceeds to download the source for his app] Now I run ‘configure‘, ‘make‘, and then ‘sudo make install‘. Oh wait, there’s an error for some missing libraries. Bob: You should consult the- Henry: -W.I.K.I. Yes, I will… * * * * * ..{W.I.K.I. entry} * * * * * Henry: Whew! Boy, that seemed like an infinite list of issues to overcome just to get that compiled! But at least it’s done! Bob: Yes. I think we need to celebrate with some pizza! Henry: Indeed! Henry: Well that was all very useful. However I seem to have forgotten why we were looking this up in the W.I.K.I. in the first place. Oh well, let’s just call it a day and play World of Warcraft. Bob: Sounds like a plan! by Dennis Kuntz This post was inspired, with tongue firmly in cheek, by several events/items/folks: a sleepless night (of which I have all too many); a Twitter conversation with über-catalyst Michael Santarcangelo; one of the greatest books ever written, Gödel, Escher, Bach: An Eternal Golden Braid , by Douglas Hofstadter (specifically the Little Harmonic Labyrinth - reading it will give you context -  but also the book in general); and the concept of a Wiki. W.I.K.I. Entry - How To Complete A Task Henry is going to “complete” a single, specific, discrete task. Completion, however, is loosely defined here as either meeting the task’s end, or merely making any progress on the specific task in question. He is accompanied by his friend Bob. Henry: Bob, I feel so energized - I’m focused and enthused! I have no meetings. The office is quiet. Not only that, but I have a very specific task that I’d like to work on. I don’t even have to get it done (although that would be great) - I just have to start it and make any kind of progress on it and the day will be a success! What could possibly go wrong?! Bob: Henry, I really think you shouldn’t say things like that. Henry: Like what? That I’m excited? What’s wro- Bob: No, I mean things like, “What could possibly go wrong?” It just gives me a bad feeling. Henry: Um, ok. Well anyway, today I’m going to begin to step through the awesome “DFRWS Challenge Walk Through” from the winning submission to the challenge by Michael I. Cohen, David J. Collett, and Aaron Walters. That’s it! Nothing else needs to be done! I’ve downloaded the challenge files. Now, all I have to do is install pyflag and I’m ready to go! Bob: Oh noez - this is what I was afraid of…. Henry: No problem. I already have the latest version of Ubuntu (Intrepid Ibex). I’ll just do a quick apt-get install and…[types "sudo apt-get install pyflag". The computer responds with "Couldn't find package 'pyflag'"]. Hrmm, that’s interesting. It couldn’t find the package. That’s ok, I’ll just consult the W.I.K.I. Bob: I thought it was “wiki” - as in a Hawaiian word meaning “fast”? Henry: Well that’s one thing to consult. I prefer the W.I.K.I - it stands for W.I.K.I Increases Knowledge Incrementally. Bob: Hrmm. Incremental things can lead very subtly to the infinite - especially when the increments - or the acronyms - involved are recursive. Recall Zeno’s paradox…. Henry: You’re a worrywart. [Opens the W.I.K.I. entry for 'apt-get "Couldn't find package" error' and starts reading] Henry: Hey Bob, when one gets this error, they should first consult their list of repositories to make sure they have any/all of the appropriate ones. Bob: Sounds like a good idea Henry! Henry: Interesting. The W.I.K.I. entry has characters in it named after us, and the entry is in dialogue form. Probably to give a good example of a real person performing the tasks! Bob: That is indeed interesting. Read on! Henry: Ok, the repositories are fine. I guess I’ll consult the W.I.K.I. to see what to do next. Bob: W.I.K.I’s are great! Maybe that last ‘I’ should stand for “Infinite” because they’re so vastly useful for when things go wrong! Bob: Hey - they’re looking at a W.I.K.I. too. So I guess that makes it a meta-W.I.K.I.! Henry: Actually, a meta-W.I.K.I. should be a W.I.K.I. about W.I.K.I.’s. I read a blog post once about an author who asked for indulgence in certain definitions for the sake of his post. Bob: What’s a blog post? Henry: Never mind. Let’s continue reading…. [Henry reads the entry on what to do when apt-get repositories entries are not available for a given app] Henry: I need to download and compile the source for this app. That sounds easy enough! Bob: Something tells me it may not be…. Henry: Ok, here it goes! [Henry proceeds to download the source for his app] Now I run ‘configure‘, ‘make‘, and then ‘sudo make install‘. Oh wait, there’s an error for some missing libraries. Bob: You should consult the- Henry: -W.I.K.I. Yes, I will… * * * * * ..{W.I.K.I. entry} * * * * * Henry: Whew! Boy, that seemed like an infinite list of issues to overcome just to get that compiled! But at least it’s done! Bob: Yes. I think we need to celebrate with some pizza! Henry: Indeed! Henry: Well that was all very useful. However I seem to have forgotten why we were looking this up in the W.I.K.I. in the first place. Oh well, let’s just call it a day and play World of Warcraft. Bob: Sounds like a plan! tag:odeo.com,2009-04-10,24434859 Fri, 10 Apr 2009 03:00:22 -0700 no The Security Catalyst Blog, Wiki, task, Security Catalyst Contributors http://odeo.com/episodes/24335024-Michael-Santarcangelo-Interviewed-at-Microsoft-Small-Business-Summit-Segment-2 Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue! Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue! Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue! tag:odeo.com,2009-03-20,24335024 Fri, 20 Mar 2009 08:08:07 -0700 no The Security Catalyst microsoft, Videos, MSFT, Security, risk, Catalyst, breach, smb, managing people, Catalyst Insights, managing risk, Managing Information http://odeo.com/episodes/24331494-Michael-Santarcangelo-Interviewed-at-Microsoft-Small-Business-Summit-Segment-1 Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information. Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information. Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information. tag:odeo.com,2009-03-19,24331494 Thu, 19 Mar 2009 16:05:45 -0700 no The Security Catalyst Videos, Security, risk, password, privacy, Catalyst, breach, managing people, Catalyst Insights, managing risk, Managing Information http://odeo.com/episodes/24307825-How-to-Choose-a-Good-Password tag:odeo.com,2009-03-15,24307825 Sun, 15 Mar 2009 04:25:12 -0700 no The Security Catalyst microsoft, Videos, Security, password, Catalyst, Managing Information http://odeo.com/episodes/24268707-The-Internet-in-5-Minutes-or-Less Most of us know how to use the internet, without actually understanding how it works. In five minutes, this video gives some of the fundamentals of how the Internet works. Most importantly, the internet is not a fuzzy cloud. The internet is a wire, actually buried in the ground. Computers connected directly to the internet are called “Servers,” while the computers you and I use are “clients,” because they are not connected directly to the internet, but through an Internet Service Provider. Routers shuttle packets of information across the internet, and transmit e-mail, pictures, and web pages. Most of us know how to use the internet, without actually understanding how it works. In five minutes, this video gives some of the fundamentals of how the Internet works. Most importantly, the internet is not a fuzzy cloud. The internet is a wire, actually buried in the ground. Computers connected directly to the internet are called “Servers,” while the computers you and I use are “clients,” because they are not connected directly to the internet, but through an Internet Service Provider. Routers shuttle packets of information across the internet, and transmit e-mail, pictures, and web pages. Most of us know how to use the internet, without actually understanding how it works. In five minutes, this video gives some of the fundamentals of how the Internet works. Most importantly, the internet is not a fuzzy cloud. The internet is a wire, actually buried in the ground. Computers connected directly to the internet are called “Servers,” while the computers you and I use are “clients,” because they are not connected directly to the internet, but through an Internet Service Provider. Routers shuttle packets of information across the internet, and transmit e-mail, pictures, and web pages. tag:odeo.com,2009-03-06,24268707 Fri, 06 Mar 2009 19:15:35 -0800 no The Security Catalyst Videos, packets, client, servers, Cloud Computing, Catalyst Insights, Security Catalyst Contributors, routers, Aaron Titus, fuzzy cloud, The Internet http://odeo.com/episodes/24112068-Security-Catalyst-Show-%E2%80%93-February-16-2009-%E2%80%93-Certification-Accreditation Welcome to the Security Catalyst Program - bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening! On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge. A few quick notes 1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better. 2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog - with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective 3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling... Welcome to the Security Catalyst Program - bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening! On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge. A few quick notes 1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better. 2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog - with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective 3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling - and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help - shoot me an email: securitycatalyst@gmail.com Stay tuned for more information. For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A. Links at a glance The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/ Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/ Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/ Mike’s blog:http://www.guerilla-ciso.com/ Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html About the Experts Mike Smith Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team. Graydon McKee Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices.  Joe Faraone Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems. Welcome to the Security Catalyst Program - bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening! On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge. A few quick notes 1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better. 2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog - with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective 3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling - and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help - shoot me an email: securitycatalyst@gmail.com Stay tuned for more information. For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A. Links at a glance The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/ Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/ Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/ Mike’s blog:http://www.guerilla-ciso.com/ Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html About the Experts Mike Smith Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team. Graydon McKee Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices.  Joe Faraone Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems. tag:odeo.com,2009-02-16,24112068 Mon, 16 Feb 2009 09:18:46 -0800 no The Security Catalyst podcast, Catalyst, certification, into the breach, accreditation, managing risk, Security Catalyst Contributors, potomac forum http://odeo.com/episodes/24059736-8-Problems-and-9-Solutions-to-College-Information-Security By Aaron Titus Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk: Administrative Decentralization Naive Office Culture Unprotected “Old” Data Shadow Systems Unregulated Servers Unsophisticated Privacy Policies Improper Use of the SSN Unsanitized Hard Drives Administrative Decentralization In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult ... By Aaron Titus Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk: Administrative Decentralization Naive Office Culture Unprotected “Old” Data Shadow Systems Unregulated Servers Unsophisticated Privacy Policies Improper Use of the SSN Unsanitized Hard Drives Administrative Decentralization In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult to implement. Naive Office Culture A closely related risk factor is office culture. Staff turnover makes training an ongoing struggle, despite strict policies governing information control. Accidental information leaks can occur, even in the most secure IT environment. In addition, all office cultures resist changing any process, no matter how inefficient. In one example, I called my law school to discuss financial aid. After identifying myself by only my last name, the staff member automatically read my social security number over the phone. Unprotected “Old” Data Colleges do a pretty good job of guarding current personal information, but fail to protect older information, which is especially risky if the old data includes social security numbers. Almost every week a faculty member backs up an old hard drive to his personal web space, unaware that the hard drive contained legacy student grades and social security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten—until the information turns up on Google. Shadow Systems “Shadow Systems” are copies of personal information from the core system which professors, colleges, departments, and even student organizations maintain independently. Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. They multiply at an alarming rate because faculty members with administrative access can create their own databases at any time. Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle. Unregulated Servers Often faculty members and third-party vendors also set up their own unregulated servers outside university firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In one security audit, a private university uncovered 250 unauthorized servers connected to its public internet network, each containing sensitive student information. Unsophisticated Privacy Policies Colleges’ privacy policies often demonstrate a basic lack of understanding of the law and, more importantly, how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.” Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online. Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, each college, department, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out. Improper Use of the SSN Even though many colleges don’t now use social security numbers to identify students, they once did. Those old records sit like land mines on old servers. In addition, some universities print them on academic transcripts and official documents. Even though the American Association of Collegiate Registrars and Admissions Officers recommends printing the social security number on transcripts, my January 2007 study indicates that fortunately, most don’t. Unsanitized Hard Drives Deleted files remain almost unchanged on the hard drive until it is overwritten or physically destroyed. Once unsanitized hard drives are re-sold, sensitive personal and corporate information can be easily retrieved. Though most universities have a sanitization protocol when retiring old hard drives, enforcing the policy can be challenging. Solutions College administrators should consider the following: Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software. Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information. Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous. Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis. Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data. Coordinate interdepartmental privacy and security practices with a special committee of information security professionals. Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms. Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records. Physically destroy all old hard drives. Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy. Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch. A version of this article originally appeared in the October 24, 2008 edition of the Chronicle of Higher Education , and is republished here by arrangement. By Aaron Titus Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk: Administrative Decentralization Naive Office Culture Unprotected “Old” Data Shadow Systems Unregulated Servers Unsophisticated Privacy Policies Improper Use of the SSN Unsanitized Hard Drives Administrative Decentralization In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult to implement. Naive Office Culture A closely related risk factor is office culture. Staff turnover makes training an ongoing struggle, despite strict policies governing information control. Accidental information leaks can occur, even in the most secure IT environment. In addition, all office cultures resist changing any process, no matter how inefficient. In one example, I called my law school to discuss financial aid. After identifying myself by only my last name, the staff member automatically read my social security number over the phone. Unprotected “Old” Data Colleges do a pretty good job of guarding current personal information, but fail to protect older information, which is especially risky if the old data includes social security numbers. Almost every week a faculty member backs up an old hard drive to his personal web space, unaware that the hard drive contained legacy student grades and social security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten—until the information turns up on Google. Shadow Systems “Shadow Systems” are copies of personal information from the core system which professors, colleges, departments, and even student organizations maintain independently. Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. They multiply at an alarming rate because faculty members with administrative access can create their own databases at any time. Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle. Unregulated Servers Often faculty members and third-party vendors also set up their own unregulated servers outside university firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In one security audit, a private university uncovered 250 unauthorized servers connected to its public internet network, each containing sensitive student information. Unsophisticated Privacy Policies Colleges’ privacy policies often demonstrate a basic lack of understanding of the law and, more importantly, how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.” Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online. Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, each college, department, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out. Improper Use of the SSN Even though many colleges don’t now use social security numbers to identify students, they once did. Those old records sit like land mines on old servers. In addition, some universities print them on academic transcripts and official documents. Even though the American Association of Collegiate Registrars and Admissions Officers recommends printing the social security number on transcripts, my January 2007 study indicates that fortunately, most don’t. Unsanitized Hard Drives Deleted files remain almost unchanged on the hard drive until it is overwritten or physically destroyed. Once unsanitized hard drives are re-sold, sensitive personal and corporate information can be easily retrieved. Though most universities have a sanitization protocol when retiring old hard drives, enforcing the policy can be challenging. Solutions College administrators should consider the following: Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software. Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information. Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous. Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis. Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data. Coordinate interdepartmental privacy and security practices with a special committee of information security professionals. Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms. Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records. Physically destroy all old hard drives. Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy. Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch. A version of this article originally appeared in the October 24, 2008 edition of the Chronicle of Higher Education , and is republished here by arrangement. tag:odeo.com,2009-02-11,24059736 Wed, 11 Feb 2009 03:05:05 -0800 no The Security Catalyst Information security, college, University, Security Catalyst Contributors http://odeo.com/episodes/23909744-Why-Conventional-Wisdom-about-%E2%80%9CBreaches%E2%80%9D-is-Wrong tag:odeo.com,2009-01-13,23909744 Tue, 13 Jan 2009 19:55:07 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23874743-Why-Conventional-Wisdom-about-%E2%80%9CBreaches%E2%80%9D-is-Wrong tag:odeo.com,2009-01-13,23874743 Tue, 13 Jan 2009 19:55:07 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23909745-The-Human-Response-to-Pain tag:odeo.com,2009-01-13,23909745 Tue, 13 Jan 2009 19:54:28 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23874744-The-Human-Response-to-Pain tag:odeo.com,2009-01-13,23874744 Tue, 13 Jan 2009 19:54:28 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23909746-Breach-The-Human-Paradox tag:odeo.com,2009-01-13,23909746 Tue, 13 Jan 2009 19:00:01 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23874745-Breach-The-Human-Paradox tag:odeo.com,2009-01-13,23874745 Tue, 13 Jan 2009 19:00:01 -0800 no The Security Catalyst Videos http://odeo.com/episodes/23771238-In-Defense-of-Breach-Notification-Laws-sort-of Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” M... Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.” I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways: Decreased Incidence of Identity Theft Increased Awareness and Identity Control Decreased Risk Behaviors and Incidence of Breach Increased Victims’ Rights 1. Decreased Incidence of Identity Theft Q: Do breach notification laws decrease identity theft? A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. 3 However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft. 2. Increased Awareness and Identity Control Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities? A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements: Who: The class of victims affected by the breach. What: A complete list of exposed information, not just the ones required by law. Where: Exposing entity’s contact information. How and When: Sufficiently detailed information about the how and when the breach occurred. How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster). What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim. Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large. 3. Decreased Risk Behaviors and Incidence of Breach Q: Do breach notification laws decrease individual risk behavior? A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds apathy. However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up. An alert is only effective when it empowers a person to act. A general breach announcement does nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy. Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes. It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time. Q: Do breach notification laws encourage organizations to improve behavior? A: Probably yes.The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing. 4. Increased Victims’ Rights Q: Do Breach Notification Laws Create New Rights for Consumers? A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking. Legislative Improvements Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are seven legislative suggestions to effectively protect and empower consumers: “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” 5 whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, harm to reputation, and violation of selfhood. They would also help counteract the market’s failure to value privacy Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit. Permanent Credit Freezes: Currently, credit freezes expire after only 90 days. Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback. Footnotes 1 Cal. Civ. Code §§ 1798.82-84. 2 See, e.g. N.H. Rev. Stat. § 359-C:2. 3 See, e.g. Ga. Code § 10-1-910(4),(7). 4 See, e.g. Cal. Civ. Code § 1798.81.5.(a). 5 Tenn. Code § 47-18-2102(1). Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.” I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways: Decreased Incidence of Identity Theft Increased Awareness and Identity Control Decreased Risk Behaviors and Incidence of Breach Increased Victims’ Rights 1. Decreased Incidence of Identity Theft Q: Do breach notification laws decrease identity theft? A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. 3 However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft. 2. Increased Awareness and Identity Control Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities? A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements: Who: The class of victims affected by the breach. What: A complete list of exposed information, not just the ones required by law. Where: Exposing entity’s contact information. How and When: Sufficiently detailed information about the how and when the breach occurred. How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster). What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim. Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large. 3. Decreased Risk Behaviors and Incidence of Breach Q: Do breach notification laws decrease individual risk behavior? A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds apathy. However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up. An alert is only effective when it empowers a person to act. A general breach announcement does nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy. Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes. It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time. Q: Do breach notification laws encourage organizations to improve behavior? A: Probably yes.The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing. 4. Increased Victims’ Rights Q: Do Breach Notification Laws Create New Rights for Consumers? A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking. Legislative Improvements Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are seven legislative suggestions to effectively protect and empower consumers: “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” 5 whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, harm to reputation, and violation of selfhood. They would also help counteract the market’s failure to value privacy Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit. Permanent Credit Freezes: Currently, credit freezes expire after only 90 days. Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback. Footnotes 1 Cal. Civ. Code §§ 1798.82-84. 2 See, e.g. N.H. Rev. Stat. § 359-C:2. 3 See, e.g. Ga. Code § 10-1-910(4),(7). 4 See, e.g. Cal. Civ. Code § 1798.81.5.(a). 5 Tenn. Code § 47-18-2102(1). tag:odeo.com,2008-12-17,23771238 Wed, 17 Dec 2008 20:25:08 -0800 no The Security Catalyst Information Protection http://odeo.com/episodes/23848855-In-Defense-of-Breach-Notification-Laws-sort-of Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” M... Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.” I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways: Decreased Incidence of Identity Theft Increased Awareness and Identity Control Decreased Risk Behaviors and Incidence of Breach Increased Victims’ Rights 1. Decreased Incidence of Identity Theft Q: Do breach notification laws decrease identity theft? A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. 3 However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft. 2. Increased Awareness and Identity Control Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities? A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements: Who: The class of victims affected by the breach. What: A complete list of exposed information, not just the ones required by law. Where: Exposing entity’s contact information. How and When: Sufficiently detailed information about the how and when the breach occurred. How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster). What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim. Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large. 3. Decreased Risk Behaviors and Incidence of Breach Q: Do breach notification laws decrease individual risk behavior? A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction. However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up. An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy. Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes. It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time. Q: Do breach notification laws encourage organizations to improve behavior? A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing. 4. Increased Victims’ Rights Q: Do Breach Notification Laws Create New Rights for Consumers? A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking. Legislative Improvements Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers: “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” 5 whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit. Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback. Footnotes 1 Cal. Civ. Code §§ 1798.82-84. 2 See, e.g. N.H. Rev. Stat. § 359-C:2. 3 See, e.g. Ga. Code § 10-1-910(4),(7). 4 See, e.g. Cal. Civ. Code § 1798.81.5.(a). 5 Tenn. Code § 47-18-2102(1). Starting with California’s 2003 law, 1 all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped. Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused. Measures of BNL Success With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.” I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways: Decreased Incidence of Identity Theft Increased Awareness and Identity Control Decreased Risk Behaviors and Incidence of Breach Increased Victims’ Rights 1. Decreased Incidence of Identity Theft Q: Do breach notification laws decrease identity theft? A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. 3 However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft. 2. Increased Awareness and Identity Control Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities? A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements: Who: The class of victims affected by the breach. What: A complete list of exposed information, not just the ones required by law. Where: Exposing entity’s contact information. How and When: Sufficiently detailed information about the how and when the breach occurred. How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster). What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim. Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large. 3. Decreased Risk Behaviors and Incidence of Breach Q: Do breach notification laws decrease individual risk behavior? A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction. However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up. An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy. Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes. It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time. Q: Do breach notification laws encourage organizations to improve behavior? A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing. 4. Increased Victims’ Rights Q: Do Breach Notification Laws Create New Rights for Consumers? A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking. Legislative Improvements Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers: “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” 5 whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit. Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback. Footnotes 1 Cal. Civ. Code §§ 1798.82-84. 2 See, e.g. N.H. Rev. Stat. § 359-C:2. 3 See, e.g. Ga. Code § 10-1-910(4),(7). 4 See, e.g. Cal. Civ. Code § 1798.81.5.(a). 5 Tenn. Code § 47-18-2102(1). tag:odeo.com,2008-12-17,23848855 Wed, 17 Dec 2008 20:25:08 -0800 no The Security Catalyst Security, identity theft, Information Protection, Breach Notification http://odeo.com/episodes/23517333-Security-Roundtable-for-October-11-2008-Social-Media-Ethics The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mcke... The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mckeay.net/ http://netsecpodcast.com/ http://twitter.com/mckeay Michael Santarcangelo http://www.securitycatalyst.com/ http://www.intothebreach.com/ (books now available – eBook or hardcover) http://twitter.com/catalyst The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mckeay.net/ http://netsecpodcast.com/ http://twitter.com/mckeay Michael Santarcangelo http://www.securitycatalyst.com/ http://www.intothebreach.com/ (books now available – eBook or hardcover) http://twitter.com/catalyst tag:odeo.com,2008-10-22,23517333 Wed, 22 Oct 2008 06:43:23 -0700 no The Security Catalyst social media, netcast, ethics, Security Catalyst Community http://odeo.com/episodes/23848858-Security-Roundtable-for-October-11-2008-Social-Media-Ethics The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mcke... The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mckeay.net/ http://netsecpodcast.com/ http://twitter.com/mckeay Michael Santarcangelo http://www.securitycatalyst.com/ http://www.intothebreach.com/ (books now available – eBook or hardcover) http://twitter.com/catalyst The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved. With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information. This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name). Learn more about the participants: Jennifer Leggio http://blogs.zdnet.com/feeds/ http://mediaphyter.wordpress.com/ http://twitter.com/mediaphyter Martin McKeay http://www.mckeay.net/ http://netsecpodcast.com/ http://twitter.com/mckeay Michael Santarcangelo http://www.securitycatalyst.com/ http://www.intothebreach.com/ (books now available – eBook or hardcover) http://twitter.com/catalyst tag:odeo.com,2008-10-22,23848858 Wed, 22 Oct 2008 06:43:23 -0700 no The Security Catalyst social media, netcast, ethics, Security Catalyst Community http://odeo.com/episodes/23471368-Red-Flag-Rules-How-to-make-sure-you-are-ready By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that credi... By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place. What does compliance entail? Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation , published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include: • address discrepancy • name discrepancy on identification and insurance information • presentation of suspicious documents • personal information inconsistent with information already on file • unusual use or suspicious activity related to a covered account, and/or • notice from customers, law enforcement or others of unusual activity related to that covered account. In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs. Expect more fines from the FTC The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions. While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans. By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place. What does compliance entail? Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation , published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include: • address discrepancy • name discrepancy on identification and insurance information • presentation of suspicious documents • personal information inconsistent with information already on file • unusual use or suspicious activity related to a covered account, and/or • notice from customers, law enforcement or others of unusual activity related to that covered account. In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs. Expect more fines from the FTC The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions. While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans. tag:odeo.com,2008-10-10,23471368 Fri, 10 Oct 2008 03:48:13 -0700 no The Security Catalyst Information Protection, FTC red flag http://odeo.com/episodes/23848861-Red-Flag-Rules-How-to-make-sure-you-are-ready By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that credi... By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place. What does compliance entail? Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation , published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include: • address discrepancy • name discrepancy on identification and insurance information • presentation of suspicious documents • personal information inconsistent with information already on file • unusual use or suspicious activity related to a covered account, and/or • notice from customers, law enforcement or others of unusual activity related to that covered account. In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs. Expect more fines from the FTC The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions. While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans. By Patrick Romero, CIPP In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003 , also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft. Are you a creditor? Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4). What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place. What does compliance entail? Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation , published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include: • address discrepancy • name discrepancy on identification and insurance information • presentation of suspicious documents • personal information inconsistent with information already on file • unusual use or suspicious activity related to a covered account, and/or • notice from customers, law enforcement or others of unusual activity related to that covered account. In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs. Expect more fines from the FTC The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions. While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans. tag:odeo.com,2008-10-10,23848861 Fri, 10 Oct 2008 03:48:13 -0700 no The Security Catalyst Information Protection, FTC red flag http://odeo.com/episodes/23432240-Security-Roundtable-for-September-27-2008 Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we lea... Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot.  I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help! Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot.  I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help! tag:odeo.com,2008-10-01,23432240 Wed, 01 Oct 2008 05:14:17 -0700 no The Security Catalyst srt, netcast, Catalyst, into the breach http://odeo.com/episodes/23848862-Security-Roundtable-for-September-27-2008 Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we lea... Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot.  I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help! Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with ‘twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points. Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list. Twitter: www.twitter.com Zach: http://twitter.com/quine Michael: http://twitter.com/catalyst Martin: http://twitter.com/mckeay   Security Twits: http://n0where.org/security-twits/   Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.   PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot.  I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help! tag:odeo.com,2008-10-01,23848862 Wed, 01 Oct 2008 05:14:17 -0700 no The Security Catalyst srt, netcast, Catalyst, into the breach http://odeo.com/episodes/23848863-Security-Roundtable-for-September-13 Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi pr... Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program. Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions. Security Roundtable for September 13th, 2008 The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!). Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program. Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions. Security Roundtable for September 13th, 2008 The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!). tag:odeo.com,2008-09-17,23848863 Wed, 17 Sep 2008 04:30:39 -0700 no The Security Catalyst netcast, Catalyst, security roundtable, mckeay http://odeo.com/episodes/23360755-Security-Roundtable-for-September-13 Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi pr... Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program. Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions. Security Roundtable for September 13th, 2008 The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!). Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us. Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.   While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program. Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions. Security Roundtable for September 13th, 2008 The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!). tag:odeo.com,2008-09-17,23360755 Wed, 17 Sep 2008 04:30:39 -0700 no The Security Catalyst netcast, Catalyst, security roundtable, mckeay http://odeo.com/episodes/23298637-Catalyst-Conversation-Starter-The-High-Cost-of-%E2%80%9CFreeware%E2%80%9D When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience ... When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation. Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience. Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0 (and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole) When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation. Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience. Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0 (and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole) tag:odeo.com,2008-09-03,23298637 Wed, 03 Sep 2008 19:16:56 -0700 no The Security Catalyst Catalyst Insights, Security Catalyst Community, Information Protection http://odeo.com/episodes/23848866-Catalyst-Conversation-Starter-The-High-Cost-of-%E2%80%9CFreeware%E2%80%9D When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience ... When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation. Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience. Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0 (and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole) When it comes to protecting home computers, “Is freeware free?” This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers? I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why? To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation. Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience. Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0 (and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole) tag:odeo.com,2008-09-03,23848866 Wed, 03 Sep 2008 19:16:56 -0700 no The Security Catalyst Catalyst Insights, Security Catalyst Community, Information Protection http://odeo.com/episodes/23298643-Security-Catalyst-Show-for-23-July-2008-Breach-Breakdown-with-Adam-Dodge With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single bre... With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other. - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised.  In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000. The university fired 2 IT administrators and the CIO resigned. What was the response Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. - The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. - The university spent nearly $100,000  on breach notifications- The university formed an IT-oversight committee- The university hired consultant firms to perform full risk assessments  - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.- Ohio University has continued to talk about this breach openly and honestly. - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference. What went wrong - There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously.  - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. - Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. - In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues. Links for more information OU news release about the breaches http://www.ohio.edu/outlook/05-06/May/485n-056.cfm An excellent breakdown of the incident (Subscription required)  Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm>  Articles about the breaches Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html> OU President McDavis’ essay about the breaches (Subscription Required) McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm> A good wright-up of President McDavis’ essay Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33> Ohio University data theft web site http://www.ohio.edu/datatheft/index.cfm With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other. - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised.  In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000. The university fired 2 IT administrators and the CIO resigned. What was the response Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. - The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. - The university spent nearly $100,000  on breach notifications- The university formed an IT-oversight committee- The university hired consultant firms to perform full risk assessments  - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.- Ohio University has continued to talk about this breach openly and honestly. - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference. What went wrong - There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously.  - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. - Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. - In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues. Links for more information OU news release about the breaches http://www.ohio.edu/outlook/05-06/May/485n-056.cfm An excellent breakdown of the incident (Subscription required)  Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm>  Articles about the breaches Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html> OU President McDavis’ essay about the breaches (Subscription Required) McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm> A good wright-up of President McDavis’ essay Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33> Ohio University data theft web site http://www.ohio.edu/datatheft/index.cfm tag:odeo.com,2008-07-23,23298643 Wed, 23 Jul 2008 19:32:07 -0700 no The Security Catalyst dodge, netcast, Ohio, Catalyst, Add new tag, breach, Information Protection, into the breach, santarcangelo, esi, breach breakdown http://odeo.com/episodes/23848867-Security-Catalyst-Show-for-23-July-2008-Breach-Breakdown-with-Adam-Dodge With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single bre... With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other. - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised.  In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000. The university fired 2 IT administrators and the CIO resigned. What was the response Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. - The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. - The university spent nearly $100,000  on breach notifications- The university formed an IT-oversight committee- The university hired consultant firms to perform full risk assessments  - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.- Ohio University has continued to talk about this breach openly and honestly. - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference. What went wrong - There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously.  - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. - Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. - In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues. Links for more information OU news release about the breaches http://www.ohio.edu/outlook/05-06/May/485n-056.cfm An excellent breakdown of the incident (Subscription required)  Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm>  Articles about the breaches Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html> OU President McDavis’ essay about the breaches (Subscription Required) McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm> A good wright-up of President McDavis’ essay Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33> Ohio University data theft web site http://www.ohio.edu/datatheft/index.cfm With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information. PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip! Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/ Breach Breakdown Show 1 - Ohio University Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3 Story of the breach The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other. - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised.  In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000. The university fired 2 IT administrators and the CIO resigned. What was the response Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. - The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. - The university spent nearly $100,000  on breach notifications- The university formed an IT-oversight committee- The university hired consultant firms to perform full risk assessments  - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.- Ohio University has continued to talk about this breach openly and honestly. - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference. What went wrong - There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously.  - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. - Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. - In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues. Links for more information OU news release about the breaches http://www.ohio.edu/outlook/05-06/May/485n-056.cfm An excellent breakdown of the incident (Subscription required)  Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm>  Articles about the breaches Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html> OU President McDavis’ essay about the breaches (Subscription Required) McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm> A good wright-up of President McDavis’ essay Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33> Ohio University data theft web site http://www.ohio.edu/datatheft/index.cfm tag:odeo.com,2008-07-23,23848867 Wed, 23 Jul 2008 19:32:07 -0700 no The Security Catalyst dodge, netcast, Ohio, Catalyst, Add new tag, breach, Information Protection, into the breach, santarcangelo, esi, breach breakdown http://odeo.com/episodes/23298656-Security-Catalyst-Show-Pop-Culture-Security-Edition-July-2008 Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda ... Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html   The Trojan Horse       Defined:  Wikipedia - original Trojan Horse - http://en.wikipedia.org/wiki/Trojan_horse       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)       Dictionary.com - http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0       Whatis.com - http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html Examples: Ocean’s Eleven - not the good one with Frank Sinatra, the remake with George Clooney       IMDB link - http://www.imdb.com/title/tt0240772/       NetFlix link - http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0       Trailer - http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all Example of a scene: the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.   Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)       IMDB link - http://www.imdb.com/title/tt0155267/       NetFlix link - http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0       Trailer (Requires Real Player) - http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147 Examples of scene: Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Scene:  Attacking the castle the French have taken control of - Trojan Rabbit This is an example of how some really bad malware is written - the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle   Social Engineering       Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_(security)       Dictionary.com - http://dictionary.reference.com/search?q=social+engineering&x=0&y=0   Examples: Wall Street       IMDB - http://www.imdb.com/title/tt0094291/       trailer - http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457       NetFlix link - http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0 Example scenes: a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it b) posing as a janitor to gain information.  Who has access to your office when you are not there.   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Example of a scene: Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top Also the women attempt to use sex to keep the knights at the castle   Fletch       IMDB link - http://www.imdb.com/title/tt0089155/       trailer link - http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105       NetFlix link - http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0   Chevy Chase/Fletch uses social engineering to obtain the information he needs - he uses disguises, voices and fake ID’s to get what he wants   Would you participate in a live, call-in show? If so, send us an email!!   Coming Up August: Lessons learned from Burn Notice on the USA Network This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.       USA Network - full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/       USA Network - Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html       Hulu - Clips:  http://www.hulu.com/videos/search?query=burn+notice If nothing else, check out the interviews with Matt Nix. Brilliant writing!   September: Back to School Edition Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?   Movie to watch this month for ideas Social Engineering - Defcon last year - our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion - available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en (and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)   Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346   Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html   The Trojan Horse       Defined:  Wikipedia - original Trojan Horse - http://en.wikipedia.org/wiki/Trojan_horse       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)       Dictionary.com - http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0       Whatis.com - http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html Examples: Ocean’s Eleven - not the good one with Frank Sinatra, the remake with George Clooney       IMDB link - http://www.imdb.com/title/tt0240772/       NetFlix link - http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0       Trailer - http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all Example of a scene: the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.   Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)       IMDB link - http://www.imdb.com/title/tt0155267/       NetFlix link - http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0       Trailer (Requires Real Player) - http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147 Examples of scene: Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Scene:  Attacking the castle the French have taken control of - Trojan Rabbit This is an example of how some really bad malware is written - the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle   Social Engineering       Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_(security)       Dictionary.com - http://dictionary.reference.com/search?q=social+engineering&x=0&y=0   Examples: Wall Street       IMDB - http://www.imdb.com/title/tt0094291/       trailer - http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457       NetFlix link - http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0 Example scenes: a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it b) posing as a janitor to gain information.  Who has access to your office when you are not there.   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Example of a scene: Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top Also the women attempt to use sex to keep the knights at the castle   Fletch       IMDB link - http://www.imdb.com/title/tt0089155/       trailer link - http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105       NetFlix link - http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0   Chevy Chase/Fletch uses social engineering to obtain the information he needs - he uses disguises, voices and fake ID’s to get what he wants   Would you participate in a live, call-in show? If so, send us an email!!   Coming Up August: Lessons learned from Burn Notice on the USA Network This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.       USA Network - full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/       USA Network - Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html       Hulu - Clips:  http://www.hulu.com/videos/search?query=burn+notice If nothing else, check out the interviews with Matt Nix. Brilliant writing!   September: Back to School Edition Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?   Movie to watch this month for ideas Social Engineering - Defcon last year - our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion - available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en (and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)   Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346   tag:odeo.com,2008-07-15,23298656 Tue, 15 Jul 2008 21:57:18 -0700 no The Security Catalyst netcast, Catalyst, monty python, Information Protection, social engineering, thomas crown affair, pop culture security, trojan horse, Security Awareness Training, PCS http://odeo.com/episodes/23848868-Security-Catalyst-Show-Pop-Culture-Security-Edition-July-2008 Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda ... Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html   The Trojan Horse       Defined:  Wikipedia - original Trojan Horse - http://en.wikipedia.org/wiki/Trojan_horse       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)       Dictionary.com - http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0       Whatis.com - http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html Examples: Ocean’s Eleven - not the good one with Frank Sinatra, the remake with George Clooney       IMDB link - http://www.imdb.com/title/tt0240772/       NetFlix link - http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0       Trailer - http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all Example of a scene: the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.   Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)       IMDB link - http://www.imdb.com/title/tt0155267/       NetFlix link - http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0       Trailer (Requires Real Player) - http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147 Examples of scene: Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Scene:  Attacking the castle the French have taken control of - Trojan Rabbit This is an example of how some really bad malware is written - the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle   Social Engineering       Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_(security)       Dictionary.com - http://dictionary.reference.com/search?q=social+engineering&x=0&y=0   Examples: Wall Street       IMDB - http://www.imdb.com/title/tt0094291/       trailer - http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457       NetFlix link - http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0 Example scenes: a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it b) posing as a janitor to gain information.  Who has access to your office when you are not there.   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Example of a scene: Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top Also the women attempt to use sex to keep the knights at the castle   Fletch       IMDB link - http://www.imdb.com/title/tt0089155/       trailer link - http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105       NetFlix link - http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0   Chevy Chase/Fletch uses social engineering to obtain the information he needs - he uses disguises, voices and fake ID’s to get what he wants   Would you participate in a live, call-in show? If so, send us an email!!   Coming Up August: Lessons learned from Burn Notice on the USA Network This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.       USA Network - full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/       USA Network - Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html       Hulu - Clips:  http://www.hulu.com/videos/search?query=burn+notice If nothing else, check out the interviews with Matt Nix. Brilliant writing!   September: Back to School Edition Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?   Movie to watch this month for ideas Social Engineering - Defcon last year - our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion - available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en (and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)   Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346   Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! Direct Link: TSC-20080716.mp3 Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346 == Detailed Show Notes After the Break == (and by detailed, I mean… wow. Detailed - Thanks to James for pulling the links together!!) On this episode 5 Critical Life Lessons your can Learn from Kung Fu Panda http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html   The Trojan Horse       Defined:  Wikipedia - original Trojan Horse - http://en.wikipedia.org/wiki/Trojan_horse       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)       Dictionary.com - http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0       Whatis.com - http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html Examples: Ocean’s Eleven - not the good one with Frank Sinatra, the remake with George Clooney       IMDB link - http://www.imdb.com/title/tt0240772/       NetFlix link - http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0       Trailer - http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all Example of a scene: the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.   Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)       IMDB link - http://www.imdb.com/title/tt0155267/       NetFlix link - http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0       Trailer (Requires Real Player) - http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147 Examples of scene: Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Scene:  Attacking the castle the French have taken control of - Trojan Rabbit This is an example of how some really bad malware is written - the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle   Social Engineering       Wikipedia - http://en.wikipedia.org/wiki/Social_engineering_(security)       Dictionary.com - http://dictionary.reference.com/search?q=social+engineering&x=0&y=0   Examples: Wall Street       IMDB - http://www.imdb.com/title/tt0094291/       trailer - http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457       NetFlix link - http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0 Example scenes: a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it b) posing as a janitor to gain information.  Who has access to your office when you are not there.   Monty Python and the Holy Grail       IMDB link - http://www.imdb.com/title/tt0071853/       Trailer link - http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769       NetFlix link - http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0 Example of a scene: Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top Also the women attempt to use sex to keep the knights at the castle   Fletch       IMDB link - http://www.imdb.com/title/tt0089155/       trailer link - http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105       NetFlix link - http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0   Chevy Chase/Fletch uses social engineering to obtain the information he needs - he uses disguises, voices and fake ID’s to get what he wants   Would you participate in a live, call-in show? If so, send us an email!!   Coming Up August: Lessons learned from Burn Notice on the USA Network This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.       USA Network - full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/       USA Network - Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html       Hulu - Clips:  http://www.hulu.com/videos/search?query=burn+notice If nothing else, check out the interviews with Matt Nix. Brilliant writing!   September: Back to School Edition Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?   Movie to watch this month for ideas Social Engineering - Defcon last year - our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion - available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en (and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)   Call for challenges  Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com  Phone number is 206-350-8346   tag:odeo.com,2008-07-15,23848868 Tue, 15 Jul 2008 21:57:18 -0700 no The Security Catalyst netcast, Catalyst, monty python, Information Protection, social engineering, thomas crown affair, pop culture security, trojan horse, Security Awareness Training, PCS http://odeo.com/episodes/23298660-The-July-Security-Rountable-is-available-Battling-Botnets-with-Botnets Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/ The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community.  Thanks to the panel: Colin Dixon | http://www.cs.washington.edu/homes/ckd/ Andrew Hay | http://www.andrewhay.ca/ Martin McKeay | www.mckeay.net Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com Joining the conversation in the Security Catalyst Community Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you ha... Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/ The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community.  Thanks to the panel: Colin Dixon | http://www.cs.washington.edu/homes/ckd/ Andrew Hay | http://www.andrewhay.ca/ Martin McKeay | www.mckeay.net Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com Joining the conversation in the Security Catalyst Community Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard. Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/ The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community.  Thanks to the panel: Colin Dixon | http://www.cs.washington.edu/homes/ckd/ Andrew Hay | http://www.andrewhay.ca/ Martin McKeay | www.mckeay.net Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com Joining the conversation in the Security Catalyst Community Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard. tag:odeo.com,2008-07-09,23298660 Wed, 09 Jul 2008 07:51:31 -0700 no The Security Catalyst srt, netcast, ethics, botnets, Catalyst, Security Catalyst Community, security roundtable http://odeo.com/episodes/23298668-netcast-for-this-week-I-was-the-surprise-guest-host-on-the-Netsec-Podcast One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face. So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded. I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening! Find the show notes here: http://netsecpodcast.com/?p=48 And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-07... One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face. So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded. I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening! Find the show notes here: http://netsecpodcast.com/?p=48 And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3   (PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.) One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face. So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded. I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening! Find the show notes here: http://netsecpodcast.com/?p=48 And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3   (PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.) tag:odeo.com,2008-07-03,23298668 Thu, 03 Jul 2008 13:02:45 -0700 no The Security Catalyst podcast, Security, netcast, into the breach, mckeay, netsec podcast http://odeo.com/episodes/23298674-The-Challenges-for-Trustmark-or-any-Framework-Solution I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation. As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased. Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT ... I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation. As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased. Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same. Three Challenges to Success Whether developing the Trustmark, working any type of certification or developing a new process, there are three broad challenges to ensuring a successful outcome: 1. building the framework/solution 2. applying the framework/solution 3. verifying the framework/solution The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I’ll be breaking these down into a series of of readable columns. However, if there is enough interest, I’ll pull them together in the end for a cohesive paper and make it available for download. I know that I’ll be referring back to this research to avoid mistake in future efforts. Technorati Tags: catalyst, comptia, BITS, trustmark I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation. As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased. Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same. Three Challenges to Success Whether developing the Trustmark, working any type of certification or developing a new process, there are three broad challenges to ensuring a successful outcome: 1. building the framework/solution 2. applying the framework/solution 3. verifying the framework/solution The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I’ll be breaking these down into a series of of readable columns. However, if there is enough interest, I’ll pull them together in the end for a cohesive paper and make it available for download. I know that I’ll be referring back to this research to avoid mistake in future efforts. Technorati Tags: catalyst, comptia, BITS, trustmark tag:odeo.com,2008-07-01,23298674 Tue, 01 Jul 2008 05:31:50 -0700 no The Security Catalyst compliance, Information Protection http://odeo.com/episodes/23298676-On-Reports-a-perspective-%E2%80%A6 By Adam Dodge Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support. Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other... By Adam Dodge Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support. Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further. The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good. However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey. Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal. What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information. So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources. How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them. By Adam Dodge Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support. Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further. The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good. However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey. Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal. What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information. So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources. How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them. tag:odeo.com,2008-06-16,23298676 Mon, 16 Jun 2008 14:22:20 -0700 no The Security Catalyst breach, Information Protection http://odeo.com/episodes/23298677-Security-Roundtable-for-June-2008-Clarion-Call-of-the-Jericho-Forum If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable. After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you… Joining us on the program:   Michael Santarcangelo - The Security Catalyst and author of Into the Breach Martin McKeay - Host of the Network Security Podcast and Captain Privacy Chris Hoff - Luminary and Jogger Paul Simmonds (bio below) - Co-Founder Jericho Forum Shane Buckley (bio below) - CEO Rohati Systems     Learn more about Jericho Forum: http://www.opengroup.org/jericho/     Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic... If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable. After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you… Joining us on the program:   Michael Santarcangelo - The Security Catalyst and author of Into the Breach Martin McKeay - Host of the Network Security Podcast and Captain Privacy Chris Hoff - Luminary and Jogger Paul Simmonds (bio below) - Co-Founder Jericho Forum Shane Buckley (bio below) - CEO Rohati Systems     Learn more about Jericho Forum: http://www.opengroup.org/jericho/     Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager.  Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.   Shane Buckley, President & CEO, Rohati Systems, Inc. Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.   Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo.    Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.   If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable. After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you… Joining us on the program:   Michael Santarcangelo - The Security Catalyst and author of Into the Breach Martin McKeay - Host of the Network Security Podcast and Captain Privacy Chris Hoff - Luminary and Jogger Paul Simmonds (bio below) - Co-Founder Jericho Forum Shane Buckley (bio below) - CEO Rohati Systems     Learn more about Jericho Forum: http://www.opengroup.org/jericho/     Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager.  Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.   Shane Buckley, President & CEO, Rohati Systems, Inc. Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.   Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo.    Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.   tag:odeo.com,2008-06-11,23298677 Wed, 11 Jun 2008 21:24:36 -0700 no The Security Catalyst netcast, Catalyst, Information Protection, santarcangelo, jericho forum http://odeo.com/episodes/23298682-Security-Catalyst-Show-Pop-Culture-Security-debut-Night-at-the-Museum Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges. This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program. For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO).  Mo... Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges. This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program. For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO).  Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/ Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/ This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works! To participate in the monthly challenge: call  206-350-8346 and leave us a message with your challenge email popculturesecurity &at& securitycatalyst dot com   PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.” Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges. This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program. For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO).  Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/ Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/ This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works! To participate in the monthly challenge: call  206-350-8346 and leave us a message with your challenge email popculturesecurity &at& securitycatalyst dot com   PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.” tag:odeo.com,2008-05-28,23298682 Wed, 28 May 2008 05:37:59 -0700 no The Security Catalyst netcast, Catalyst, compliance, Information Protection, pop culture security, Security Awareness Training http://odeo.com/episodes/23298685-TSC-May-21-2008-The-Right-Way-to-Address-the-Debian-OpenSSL-Vulnerability It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector. Plenty of specific details and analysis can be found in different places, including: http://wiki.debian.org/SSLkeys http://www.us-cert.gov/cas/techalerts/TA08-137A.html http://www.kb.cert.org/vuls/id/925211 http://secunia.com/advisories/30220/ For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States. Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As... It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector. Plenty of specific details and analysis can be found in different places, including: http://wiki.debian.org/SSLkeys http://www.us-cert.gov/cas/techalerts/TA08-137A.html http://www.kb.cert.org/vuls/id/925211 http://secunia.com/advisories/30220/ For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States. Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi. When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain. During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results. It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less! In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/ Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training. It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector. Plenty of specific details and analysis can be found in different places, including: http://wiki.debian.org/SSLkeys http://www.us-cert.gov/cas/techalerts/TA08-137A.html http://www.kb.cert.org/vuls/id/925211 http://secunia.com/advisories/30220/ For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States. Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi. When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain. During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results. It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less! In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/ Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training. tag:odeo.com,2008-05-21,23298685 Wed, 21 May 2008 09:21:48 -0700 no The Security Catalyst Security, netcast, debian, Information Protection, Security Awareness Training, openSSL, venafi, Professional Speaking http://odeo.com/episodes/23298691-Electronic-Medical-Records-Friend-or-Foe By Patrick Romero In 2004, President Bush set a goal that by 2014 most Americans would be using an Electronic Medical Record (EMR). In his vision, doctors would be using EMR systems with interoperable standards that would allow them to share lab results, images, computerized orders and prescription information with hospitals and other health facilities. The Office of the National Coordinator for Health Information Technology was created by President Bush to guide the work on EMR standards and coordinate public and private efforts. Its job is to define minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications. The reasons for the insufficient progress are many, according to the report, “Gauging the Progress of the National Health Information Technology Initiative.” They include slow adoption of EMRs by physician practices, the impractical nature of a national healt... By Patrick Romero In 2004, President Bush set a goal that by 2014 most Americans would be using an Electronic Medical Record (EMR). In his vision, doctors would be using EMR systems with interoperable standards that would allow them to share lab results, images, computerized orders and prescription information with hospitals and other health facilities. The Office of the National Coordinator for Health Information Technology was created by President Bush to guide the work on EMR standards and coordinate public and private efforts. Its job is to define minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications. The reasons for the insufficient progress are many, according to the report, “Gauging the Progress of the National Health Information Technology Initiative.” They include slow adoption of EMRs by physician practices, the impractical nature of a national health information network, the difficulty of creating interoperability standards and Congress’ failure to pass legislation addressing health IT roadblocks. A 2005 survey estimated that only 13 percent of solo practitioners and 16 percent of groups with 2–4 physicians have adopted EMRs, compared to 29 percent of groups with 10–19 physicians and 39 percent of groups with 20 or more physicians. The office, created by Bush to guide the work on EMR standards and coordinate public and private efforts, defines minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications. Slightly more than a quarter of practices with 11 or more physicians — a situation that describes only 8% of doctors — used comprehensive EMRs in 2006, according to an October 2007 Centers for Disease Control and Prevention report based the National Ambulatory Medical Care Survey. Solo or single partner practices — which account for almost half of all doctors — reported much lower levels of comprehensive EMR use: 7.1% of solo practitioners, 9.7% of those with a partner. Another reason for slow progress on EMR adoption is that a national health information network is impractical, said experts in the California foundation report. The system is intended to be a “network of networks” linking state, regional and other health information exchanges so they can share information. According to the eHealth Initiative Foundation (eHI), 28 states have initiated Health Information Technology (HIT) planning and an additional seven states have progressed to the implementation stage. Privacy Concerns The Medicare Electronic Medication and Safety Protection Act (S 2408), sponsored by Sen. John Kerry, would require physicians to use e-prescribing for Medicare patients or face a 10% cut in payments. The bill is pending in the Senate Finance Committee. Deborah Peel, head of the Coalition for Patient Privacy, said an e-prescribing bill would be an excellent opportunity to prohibit data mining. Privacy advocates are concerned that the bill should come with more privacy protection. They would like to require that any prescription data transmitted electronically be used for the express purpose of prescription filling and submitting the necessary codes to the insurer for payment. Other provisions being sought are annual reports to patients listing everyone who accessed their data and mandated security breach notifications. While EMRs are not a panacea to fixing our national medical system, they do offer more than traditional modes of storing information. The government should continue to encourage doctors toimplement EMRs in their practice through substantial grants and subsidization. There are currently such programs but more needs to be done to publicize them. While a mandate might eventually be necessary, there are less restrictive alternatives currently available. Nevertheless, it is time that the medical community catch up with other sectors of our economy that have embraced the use of digital information. By Patrick Romero In 2004, President Bush set a goal that by 2014 most Americans would be using an Electronic Medical Record (EMR). In his vision, doctors would be using EMR systems with interoperable standards that would allow them to share lab results, images, computerized orders and prescription information with hospitals and other health facilities. The Office of the National Coordinator for Health Information Technology was created by President Bush to guide the work on EMR standards and coordinate public and private efforts. Its job is to define minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications. The reasons for the insufficient progress are many, according to the report, “Gauging the Progress of the National Health Information Technology Initiative.” They include slow adoption of EMRs by physician practices, the impractical nature of a national health information network, the difficulty of creating interoperability standards and Congress’ failure to pass legislation addressing health IT roadblocks. A 2005 survey estimated that only 13 percent of solo practitioners and 16 percent of groups with 2–4 physicians have adopted EMRs, compared to 29 percent of groups with 10–19 physicians and 39 percent of groups with 20 or more physicians. The office, created by Bush to guide the work on EMR standards and coordinate public and private efforts, defines minimally functional systems as those on which doctors can record and manage progress notes, order tests, record test results and electronically prescribe medications. Slightly more than a quarter of practices with 11 or more physicians — a situation that describes only 8% of doctors — used comprehensive EMRs in 2006, according to an October 2007 Centers for Disease Control and Prevention report based the National Ambulatory Medical Care Survey. Solo or single partner practices — which account for almost half of all doctors — reported much lower levels of comprehensive EMR use: 7.1% of solo practitioners, 9.7% of those with a partner. Another reason for slow progress on EMR adoption is that a national health information network is impractical, said experts in the California foundation report. The system is intended to be a “network of networks” linking state, regional and other health information exchanges so they can share information. According to the eHealth Initiative Foundation (eHI), 28 states have initiated Health Information Technology (HIT) planning and an additional seven states have progressed to the implementation stage. Privacy Concerns The Medicare Electronic Medication and Safety Protection Act (S 2408), sponsored by Sen. John Kerry, would require physicians to use e-prescribing for Medicare patients or face a 10% cut in payments. The bill is pending in the Senate Finance Committee. Deborah Peel, head of the Coalition for Patient Privacy, said an e-prescribing bill would be an excellent opportunity to prohibit data mining. Privacy advocates are concerned that the bill should come with more privacy protection. They would like to require that any prescription data transmitted electronically be used for the express purpose of prescription filling and submitting the necessary codes to the insurer for payment. Other provisions being sought are annual reports to patients listing everyone who accessed their data and mandated security breach notifications. While EMRs are not a panacea to fixing our national medical system, they do offer more than traditional modes of storing information. The government should continue to encourage doctors toimplement EMRs in their practice through substantial grants and subsidization. There are currently such programs but more needs to be done to publicize them. While a mandate might eventually be necessary, there are less restrictive alternatives currently available. Nevertheless, it is time that the medical community catch up with other sectors of our economy that have embraced the use of digital information. tag:odeo.com,2008-05-14,23298691 Wed, 14 May 2008 19:37:26 -0700 no The Security Catalyst Information Protection http://odeo.com/episodes/23298694-May-2008-Security-Round-Table-RSA-Going-Beyond-the-Hype I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights. RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives. I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next ... I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights. RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives. I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference! This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media. Happy Listening.     I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights. RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives. I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference! This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media. Happy Listening.     tag:odeo.com,2008-05-14,23298694 Wed, 14 May 2008 16:58:37 -0700 no The Security Catalyst srt, social media, netcast, blogger, Catalyst, rsa http://odeo.com/episodes/1116185-Security-Catalyst-27-Wireless-Law-Compliance-Advice-Your-top-5 tag:odeo.com,2006-04-27,1116185 Thu, 27 Apr 2006 15:50:01 -0700 no The Security Catalyst http://odeo.com/episodes/1079697-Security-Catalyst-26-Insider-Interviews-Randal-Schwartz tag:odeo.com,2006-04-21,1079697 Fri, 21 Apr 2006 15:25:06 -0700 no The Security Catalyst http://odeo.com/episodes/1079696-Security-Catalyst-25-Insider-Interviews-Podslurping-with-Abe-Usher tag:odeo.com,2006-04-13,1079696 Thu, 13 Apr 2006 16:15:23 -0700 no The Security Catalyst http://odeo.com/episodes/1079693-Security-Catalyst-24-Insider-Interviews-Wireless-Security-Basics-with-Red-Wagner tag:odeo.com,2006-04-07,1079693 Fri, 07 Apr 2006 17:26:50 -0700 no The Security Catalyst http://odeo.com/episodes/1079691-Security-Catalyst-23-Greylisting-and-why-you-should-be-using-it tag:odeo.com,2006-04-05,1079691 Wed, 05 Apr 2006 21:06:57 -0700 no The Security Catalyst http://odeo.com/episodes/1079687-Security-Catalyst-22-Insider-Interviews-How-to-protect-yourself-from-Identity-Theft-with-John-Sileo tag:odeo.com,2006-03-31,1079687 Fri, 31 Mar 2006 04:15:42 -0800 no The Security Catalyst