Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by providing a truly massive list of differing technologies that he feels shouldn’t be “de-prioritized”. Tools don’t mean jack if users don’t understand why they are there and how to appropriately use them. The appropriate time to being user awareness training is not after everything else is in place or even after “bare bones security measures” but right away.
The time (as Amrit puts it) to “skip barefoot and joyfully through the glass shards that are human behavior” is day one. That’s why at most large companies new employee orientation includes a copy of the employee handbook and includes a review of the contents. How hard would it really be to add in a bit about appropriate use? For that matter, companies that fall under SOX already have employees annually signing that they understand the corporate ethics rules, again a prime time to also remind them of information security. Sure it’s only once a year but combine that with monthly postings to an intranet site or email newsletter and suddenly with a minimum of effort you can make a huge difference. Will users occasionally still click on a virus infected email? Sure. Are they less likely to leave their laptops in the back seat of their cars if you give them an occasional reminder not to? You betcha and if I can reduce laptop loss by even a couple of percent or don’t have to fire an employee for misconduct, then it’s more than worth that minimum effort.

Defending Metrics

Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those with operation responsibilities. With that in mind, I’d like to point our readers to a newish blog, Security Retentive by Andy Steingruebl. Andy and I worked together way back when and I can’t say enough nice things about him. On Sunday, Andy talked about building effective metrics. In this case, he talked about vulnerability management though he promises to cover anti-virs software and software security in later posts. I for one will be on the lookout for the follow-ups. Andy covers a good strategy for launching and measuring a vulnerability management program. I don’t want to steal his thunder, so go read what he has to say.

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large. Yesterday, Alex posted a great article on the sad state of metrics in our industry. I claim no credit what so ever for any of Alex’s content (his thoughts here go far deeper than anything we covered over bowls of Pho), I heartily encourage you all to read what he has to say as he covers far more ground than what I’ve hinted at above.

One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email them/fill out the stupid little form and mail it to them. I was pleasantly surprised however to discover that in fact they were doing the exact opposite. The letter was actually an opt-in for data sharing. I really love it when companies make things easier for me. Interestingly, their posted privacy policy claims that the opt-in is only for residents of California and Vermont and I’m not living in either of those states. So I guess they’ve expanded their process beyond those states. Regardless of the reason, I appreciate the way these folks have done things.

The ‘Gay Marriage’ of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize):

What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) since the state supreme court ordered the recognition of gay marriages in 2004. Back then, before the state had any experience with such marriages, there was overwhelming opposition to the idea. Only about a third of the state’s 200 legislators fully supported gay marriage. The only real disagreement was whether the state should constitutionally ban both civil unions and gay marriages or just ban gay marriages. Opponents of gay marriage back then gambled that they could hold out for a broad ban — a tactical decision that cost them.

The delay … let the initial anxiety subside. More than 8,500 same-sex couples got married in the state with no obvious or immediate effect on Massachusetts families or existing marriages.

I think we’re seeing something very similar around broad breach disclosure. There was overwhelming opposition to the idea, but as it’s happening, and the initial anxiety is subsiding, we can have a much more rational discussion.

On Privacy Law: HIPPA, Library

jimi-monterey.jpgAt, “Hospitals Fear Privacy Claims Over Medical Records:”

The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits.

Labor and employment attorneys who represent health care providers are especially concerned about the prospect of private HIPAA litigation because the law does not currently provide a private right of action. But plaintiffs appear to be getting around that. They say that courts in recent years have begun letting plaintiffs use HIPAA standards to prove liability in privacy lawsuits alleging that their sensitive medical records were inadequately protected.

I’m optimistic that private action will do more than the Bush administration has done to enforce HIPAA. It’s a pretty low bar, as I joked in ‘Medical “Privacy” law.’ (What do you call a set of regulations that the government won’t enforce?

At the same time, I expect that private action will face a substantial and uphill battle, absent a financially-expressible cost.

In other news, law firm Morrison & Foerstr has a “International Data Privacy” library up, at Morrison & Forster International Data Privacy.

Oh, and the picture? Nothing to do with this blog post. Just celebrating. Because we’re not blogging for the money.

Flower Power Sucks

Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering.
Lately, not just on NPR but on my local “Timeless Rock” station, I’ve heard wistful mentions of this summer being the 40th anniversary of the Summer of Love. In fact, today is the 40th anniversary of the start of the Monterey Pop festival.
Well, I like sixties tunes as much (probably way more) than the next guy, but I want to take this opportunity to plug an album that was recorded in 1967 and was decades ahead of its time. It had the unmitigated temerity to ridicule Sergeant Pepper’s, to mercilessly excoriate the vapid, privileged denizens of the San Francisco scene, to call Ronald Reagan a fascist who wanted to create a police state, and to attack narrow-minded parents for strangling their childrens’ curiosity and wonder in the cradle (and much, much more). It also laid withering scorn on mindless, superficial hippies and (accurately, alas) predicted a Kent State-type event.
That record is The Mothers’ “We’re Only in it for the Money“.
(BTW, the ’86 remastered version is worthless. You want the original vinyl (good luck), or the Rykodisc CD based on the original Verve master.)

Posted in art

New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007.
I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is:

New Hampshire 40 11
North Carolina 11 41

I am eager to see how many of the NH cases were reported to NY. I am going to predict 27. Interesting how reports were being made to NH before the law requiring them took effect (hence the 1/17 date).

Disclosures where they’re not required by law

It’s the new normal in the English speaking world. See:

All via the Dataloss list.

Emergent Downtime

We had some downtime after a failure at our hosting facility.

We would like to address the power loss which occurred in our Virginia
Datacenter on Wednesday, June 13th. We are still investigating the
root cause, but in the interest of full disclosure, here are the facts
as we know them today. A more complete post-mortem will be sent to you
as soon as possible.

Mmm, full disclosure and analysis. What a neat idea.