Invincible

Posted on April 5, 2007 by dutcherstiles


New York Magazine article “The Young Invincibles: A Generation Uninsured” discusses the way uninsured 20-30 year olds in New York deal with health risks (link and commentary from Concurring Opinions.)

The article is interesting study of people who do not participate in the most common health risk management strategy: insurance. Unable to afford it, or “rationally” choosing to be uninsured, they have created their own strategies to minimize exposure. Curtailing snowboarding activities (only the half pipe), daily brushing, and yoga are balanced with careers as bike messengers and retailers. There is a wide range of risk appetites: the bike messenger who feels that “helmets are cumbersome,” and artist who eschews bicycling completely. Maintenance and prevention are expensive or inconvenient, so the Invincible’s focus is on the severe or catastrophic cases.

Are there corporations out there that believe themselves to be “invincible”? Is this the sort of attitude that prevents real security from becoming embedded into a corporate culture? No doubt possible. Also likely is the false sense of security associated with “compliance” as a risk mitigation technique. SOX is like a bicyclist’s helmet (“too cumbersome”). PCI is like brushing your teeth every day. No one condemns daily brushing, but it won’t help when you get a kick in the teeth.

(I recall my own period of “invincibility.” Working without insurance as a deckhand on a towboat on the Ohio, Tennessee and Cumberland Rivers, I didn’t see the dangers of hopping from barge to coal soot covered barge, lugging 90-lb ratchets and wire, all risk mitigated by my Redwings and a bump hat. Not until a near death experience while epoxying the inside of a fresh water tank did I think “Hey, what if I get crushed? What if my brain is actually damaged, and no one will ever get my jokes?” Then I sought less perilous employment. With a health and dental plan. So I found my way to the Guild of the Green Eyeshade.)

Men’s 8-inch work boot with metatarsal guard courtesy Redwing.

Posted in Uncategorized | Tagged , , | Leave a comment

One Man’s Trash

Posted on April 5, 2007 by dutcherstiles


The righteous fury of Texas Attorney Abbott was last month stymied by an elite cadre of county clerk ninjas who conjured a shambling legislative behemoth to crush his valiant effort to protect the privacy of Texans.
Abbott screwed his courage to the sticking place, and was not to be denied.

Laying down the latex gauntlet, and taking a dog-eared chapter from a 1987 hacker’s playbook, he strikes a meaty vein of SSN laden paydirt in the dumpsters of Radio Shack, a beauty school and a talent agency.

Having done of bit of professional dumpster diving myself, I laud the AG’s efforts. Nothing increases a man’s disposal awareness more than seeing a dude in a suit digging through garbage.

No doubt the most disturbing part of the story is the sample recovered receipt displayed on the AG’s website. I mean, $99.97 for a 2 GB portable drive? With $17.99 for a 12 month warranty? Now that’s obscene.

Illustration courtesy Speas.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Auditing Privacy Part 2 – Risk Assessment of Data Loss

Posted on March 30, 2007 by dutcherstiles

The easy way to assess privacy risks is to focus on the impact of data theft to the organization by including the private data as a corporate asset. There are well documented methods to identify the vulnerabilities in means of collecting, storing and sharing the data. Similarly, there are methods to identify and list the data’s threats (hackers, “insiders,” and negligent loss). The impacts will likely shake out along the lines of direct costs (postage, call center, other incident response costs), potential legal and regulatory actions and reputation damage. (For an example, Protegrity assessed the TJX data breach at $1.7 billion, though TJX was not strictly a privacy issues, it has parallels*).

This would be the easy way, but may not result in the most accurate results. The problem lies in identifying the impacts of a privacy breach. The attribute of “privacy” assigned to the data is what makes the data valuable, and worthy of protection. However, “privacy” is not an attributed that belongs to the corporation, but to the individual the data describes. So an assessment of risk to the corporation of privacy loss should start at looking at the impact of the loss to the individual.


Why do many corporations, when disclosing losses of tremendous amounts of data, appear to suffer only short term damage to their reputation. I posit that the potential damage to a corporation is proportional to the actual real damage to privacy of the individuals described in the lost damage. (See Guin v Brazos)

The real impact of a privacy incident on individuals has been hidden behind a cloud of security vendor fear mongering and media induced panic. The common problems with the data is equating data loss with a privacy breach. Identity theft properly defined is likely a higher impact, lower frequency event than is commonly reported.

The SB1386-style disclosure laws have been a boon to identifying the frequency of data loss, but the information that has to be disclosed does little to help identify the impact. An auditor concerned strictly with compliance would have to place equal risk to any loss of private data. But the auditor should take the risk assessment to the next step and focus on the individuals, identifying the risks that lead to actual harm to the privacy of individuals. Compliance risk is equivalent for the loss of a laptop carrying an encrypted database of private data and the same databases being heisted off a web server unencrypted by a criminal with the intent to exploit the identities. The real risk to the privacy of the individuals described in the database is clearly different.

Beyond the risk of a data loss, the auditor should also consider the equally important risks of the collection of private data and the dossier-ification of data. More on that later.

*Why the high risk to TJX? Though not strictly a privacy issue, the damages related are an issue of a loss to a third party – the banks – rather than TJX itself.

“Some would call this good fortune” from s2art

Posted in Uncategorized | Tagged , , , | Leave a comment

Impacted Molars II

Posted on March 28, 2007 by dutcherstiles


Occlusal
Panopticonistas Cyveillance say ID theft is so bad, we are all going to die. Seems like shutting down copyright scofflaws got a little too Web 1.0 for them, so they’ve unleashed their vicious crawling spiders on a search for contraband identities. And guess what they found out? EVERYBODY’S IDENTITY IS ALREADY PWN’D! Now that they’ve collected this data, I’m curious as to what are they going to do with all those credit card numbers, SSNs and mothers’ maiden names. Did they help shut down the sites hosting the illicit data? Did they notify the victims? This sort of research is on an odd ethical footing. I hope they get it all sorted before they do their research on other forms of digital contraband.

Distal
California Secretary of State Debra Bowen kicks ass in the name of privacy for Californians. She gets privacy, and maybe even cares about the citizens of California. I wish she could impart some of her knowledge to the Texas county clerks.

Mandibular
CDT publishes their draft Privacy Principles for Identification. Seem pretty much like Fair Information Practices to me, which is not necessarily a bad thing.

Fake Teeth Resting on Image of Monk courtesy jsdart

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Insider Threat Assessment

Posted on March 27, 2007 by dutcherstiles


Step one: Play a crappy new-agey cover of “All Along the Watchtower.”

Posted in Uncategorized | Tagged , | Leave a comment

Panopticon Enabled Desktops Increase Productivity!

Posted on March 22, 2007 by dutcherstiles


From Dark Reading, the joys of workforce monitoring software with Ascentive!:

“We call it ‘workforce activity management,'” says Schran. “Our latest edition provides all the insight necessary to eliminate time-wasting, increase productivity, and protect private company data.”

Or, in the words of Ascentive’s VP of Customer Relations Jeremy Bentham,

Morals reformed – health preserved – industry invigorated – instruction diffused – public burthens lightened – Economy seated, as it were, upon a rock – the gordian knot of Gramm Leach Bliley and Sarbanes-Oxley are not cut, but untied – all by a simple idea in Software Architecture!

More from Dark Reading:

Perhaps even more importantly, employee monitoring tools can deter workers from insider activities such as data theft or unauthorized file access, Schran adds. “If your employees are downloading files to a USB device, our software will record that action,” he says. “Our data has already been used in evidentiary proceedings in court.”

But I prefer the hot buzz on this product from their EU Product Evangelist Michel Foucault:

The heaviness of the old ‘houses of security’, with their fortress-like architecture, could be replaced by the simple, economic geometry of a ‘house of certainty’. The efficiency of power, its constraining force have, in a sense, passed over to the other side – to the side of its surface of application. He who is subjected to a field of visibility, and who knows it, assumes responsibility for the constraints of power; he makes them play spontaneously upon himself; he inscribes in himself the power relation in which he simultaneously plays both roles; he becomes the principle of his own subjection. By this very fact, the external power may throw off its physical weight; it tends to the non-corporal; and, the more it approaches this limit, the more constant, profound and permanent are its effects: it is a perpetual victory that avoids any physical confrontation and which is always decided in advance.


And they say security software people don’t read post-structuralist French philosophers. Heck, Foucault is all around you! I running a Jacques Derrida Packet Sniffer & Deconstructor right now! Or am I?

Posted in Uncategorized | Tagged , , | Leave a comment

Auditing Privacy Part 1 – Ethics and the Canon

Posted on March 20, 2007 by dutcherstiles

It would comfort many compliance auditors to discover the ultimate checklist and tear after their organization’s privacy program, collecting tick marks and developing the dreaded deficiency finding. I say to them, “Google is your friend.” For the more enlightened internal auditor, the first step in evaluating their organizations privacy practices should be a step back.

The Canon
There are best practices, and there are benchmarks. There are torts, laws, and rational fear of the irrational regulator. However, for most every auditable area there is also The Canon. Take a file to the gilded crust of Sarbanes-Oxley and the PCOAB (and all their works and all their ways), you eventually uncover the Generally Accepted Accounting Principles. Take a snowblower to the myriad layers of dust and ash of the Code of Federal Regulations. If you squint and hold your head just right, you’ll see a vague outline of the Decalogue. And somewhere below ornate filigree and baroque ornamentation of HIPAA, Gramm Leach Bliley and SB1386 is the shape of the Fair Information Practices of the US Department of Health, Education and Welfare, 1973.

From the link above, here are the five practices of the modern privacy canon:

  1. Collection limitation
  2. Disclosure
  3. Secondary usage
  4. Record correction
  5. Security

These five principles will be your mantra for your audit. They will guide your question and inform your issues. Advanced practitioners may chose from the following according to their path:

The 10 AICPA’s Generally Accepted Privacy Principles

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

The Ethos
Like the Torah, the Sermons of Buddha, the Qur’an, the Gospels, or Fermat’s Principle, a canon is only meaningful if applied. You must ask the CEO, the CIO, the Chief Marketeer, the General Counsel, and listen, and interpret their answers accordingly. Are the principles used as values to guide their decisions, obstacles to be worked around, or are they simply unknown? Read your corporate policies regarding privacy. Do you see in them evidence of the Fair Information Practices, or do they appear to be more oriented to a specific set of industry specific regulations? Interview the folks who handle the data. Do they treat the data with the care they would treat their own? The answers to these questions will begin to lead you to determining if your organization has the ethical basis for a privacy program.

What Does This Mean?
A compliance oriented organization may maintain reasonable concordance with Fair Information Practices without even knowing what they are. However, the organization may be reactive, and inefficient. The organization’s privacy direction will be dictated by outside entities, rather than developed within.
A organization with a firm foundation in privacy practices, coupled with an ethic duty to privacy, will be more efficient, more effective, and retain a better reputation in the face of an incident.

Posted in Uncategorized | Tagged , , , | Leave a comment

I Am Not A Cop

Posted on March 20, 2007 by dutcherstiles


A couple posts on the role of internal audit in the information security controls of a company got me thinking.
First, Anton describes an auditor as “policing agent” model:

  • InfoSec develops controls.
  • Operations operationalizes them.
  • Audit goes around with a checklist to make sure they got done

Farnum at Computerworld comments, as does Rothman.

The issue I have with this model is that if what InfoSec develops are inadequate, they could still be well implemented. InfoSec should take ownership in the controls, and insure they are implemented and monitor their performance after they are implemented. When the auditor comes along, he or she should be looking not only at the implementation, but if the system as designed by InfoSec achieves the requisite goals of risk reduction acceptable to the board. Unlike the crime, systems development or drug prescription analogies, information security is an ongoing management process.

So I’m looking through rose colored glasses rather than my usual green eyeshade, but I’m not going to play Kavenaugh to bunch of Mackeys.

Posted in Uncategorized | Leave a comment

More Questions than answers

Posted on March 16, 2007 by dutcherstiles

This evening has been spent practicing for my SXSW day show: a brief discussion about privacy for which some auditors will be getting CPE. As a result, I have also spent the evening listening to my voice slowly decay into a burbling croak.

But, I was happy that IT Security published what’s on their blog feed. Some good stuff there, and I’m definitely subscribing to fellow Texan McKeay’s keenly honed published thoughts. He nailed the county clerk bit better than I could. I could have saved some electrons and blood vessels if I read him first.

Speaking of privacy, my favorite bass player got in the mail a solicitation to participate in clinical study of some new medicine that replaces some prescription med. The suggested way to sign up was to go to a url: http://MYWIFESNAME.DRUGCOMPANYNAME.COM. That seemed odd. Half of me want to do some DNS-fu on the beast, see what names I can get (if any), and see what information I can gather. The other half of me is mildly outraged but barely has the energy to google to finder others in equivalently mild states of outrage. The third half feels like having a scotch and going to bed. Strictly for medicinal purposes. In Balvenie veritas.

Posted in Uncategorized | Tagged , , | Leave a comment

Repost Redux: Special SXSW Edition

Posted on March 14, 2007 by dutcherstiles

Having read a few additional commentaries, I began to think some more on two issues I posted about earlier.

Greg Abbott vs. The County Clerks
Mordaxus at Emergent Chaos says we need to chill, which made me wonder if there was less to this issue than I previously thought. The more I think of it, thought, the less appealing the whole mess appears. The clerks routinely sell the data in their charge to data brokers. The Open Records Act (Texas’ FOIA) allows the clerks to charge for the records. By redacting the confidential parts, the data would be less attractive to the brokers, and the clerks revenue stream might dry up.
The clerks are digitizing and distributing information on the Internet beyond the scope of its original purpose, and counter to Texas law. I don’t have a problem holding these folks accountable to the law and their duty as custodians of the data. I will be having a beer or three at SXSW, though, probably at the Yard Dog and at Woody’s.

The Hacker vs. The Corporation
Both Emergent Chaos and ArsTechnica have things to say about the study I posted about yesterday. EC posted a link to the study, but after reading it, I don’t think I’ve changed my mind. I am, in fact, more confused about the purpose of the study than before. The distinction between “hacker” and “corporate malfeasance” does not strike me as interesting as the distinction between “stolen” and “lost.” The question for me as a consumer remains a question of risk. Am I more likely to suffer damage to my reputation or finances if my personal data is “lost” or if it is “hacked”? No doubt frequency is part of the equation, but so are the capabilities and intention of the threat.

Photo of the Casting Couch in action by me.

Posted in Uncategorized | Tagged , , , , , | Leave a comment