Jaime Chanaga, CISSP, CISA

Recently, American consumers have learned that telephone companies have shared vast amounts of data pertaining to telephone call records with the U.S. Federal Government.  Legal or ethical arguments aside, it should not be surprising that the technology exists today to record and easily track our personal tastes, preferences, and lifestyles.  As consumers we need to be better informed about our choices when we elect to share our personal and consumer information.

A resource you may find valuable in terms of personal and consumer privacy education is the Privacy Rights Clearinghouse (http://www.privacyrights.org/).

I'd like to share with you my recent experience at an airport security checkpoint.  A few months ago, I signed up for "Fly Clear", a registered traveler program.   As a subscriber, I gave certain biometrics information voluntarily along with a formal application that included personal identifying information to the U.S. Transportation Security Administration (TSA).  In exchange for providing this personal data, the TSA performed a security threat assessment and approved my continued use of the expedited screening services provided by "Fly Clear".

When I arrived at the Orlando International Airport, I proceeded to check in my luggage and receiving my boarding card.   I headed towards the TSA security checkpoint where I found the regular security screening line had a wait time of approximately 40 minutes due to the high volume of passengers.   Fortunately for me the "Fly Clear" lane at the security checkpoint was open with only 1 passenger ahead of me.  I proceeded to present my smart card (with my biometrics and ID encoded) to the security staff and was verified as a registered traveler in under 1 minute.  I was allowed to go through security screening including x-rays of my carry-on items and walking through the metal detectors--all in under 3 minutes.

To become a registered traveler, I gave up some very personal and confidential information to the TSA--however, the convenience I experienced with the "Fly Clear" program was worth the investment.  Perhaps in the future I won't be so eager to trade some personal and confidential information.  That day, and for me, the convenience of saving 37 minutes standing in line were worth the trade off.

I spent the next 37 minutes, enjoying a Vanilla Bean Frappuccino® Blended Crème at Starbucks.

The SANS Institute provides an invaluable resource called the Reading Room at http://www.sans.org/reading_room/.  At this site you will find research papers written by GIAC certification candidates on various topics of information security.  The papers are published and available for download free of charge. There are over 1588 original research papers that cover over 71 categories of interest in the field of computer and digital security.

With all the recent concerns over phone record privacy, there may be a new solution in the horizon for encrypting voip (voice over IP) telecommunications.

Philip Zimmermann, creator of the highly popular Pretty Good Privacy (PGP) encryption software, is currently working on a software based "secure telephone" that would work with popular voip applications.   Although the software is currently in beta testing, it will significantly add to the strength and complexity of encryption available to consumers today and which had only previously been reserved for large multi-national corporations or government agencies.  VOIP security for the masses is coming!

For more information visit:  http://www.philzimmermann.com/EN/zfone/index.html

Philip Zimmermann, thank you for once again giving the on-line community the gift of more secure communications in the promise of Zfone.

Jaime

Many countries are beginning to legislate and enforce stronger laws in terms of dealing with cyber crime, but much more has to be done to address the wider range of electronic crimes. 

For example the focus in recent months within the United States (U.S.) has focused on the issues of online sexual predators, and in a few cases of international hackers accused of breaking into military computer networks.  Although existing U.S. laws can be used to prosecute criminal behavior in these two categories, there still remains much more to be done to more effectively deal with these types of electronic crimes.

Call to action:  As concern citizens, consumers, and business leaders, let's become active in the public policy debates that drive the consideration and creation of new legislation dealing with electronic crimes.

Jaime

You don't have to turn very far in today's short news cycles to find news reports on breaches of consumer financial and personal data.  But lacking in the debate of government and industry regulations, is a question I've been asking myself of late. 

Where does my personal responsibility for the protection of my private consumer data and information begin?  As a consumer, am I being proactive and careful in protecting our private financial and personal information?  These are questions consumers should be asking themselves, before expecting government or private industry to provide all the solutions for protecting personal information. 

Take-away:

• Do you have a cross-cut paper shredder at home to destroy old sensitive documents such as utility bills, credit card statements, etc.?
• Do you protect your home computer with a hardware firewall, anti-virus software, and anti-spyware software?
• Are you careful to destroy credit and bank offers you receive via postal mail?

Protection of personal information begins with each of us accepting our own personal responsibility for the protection, use, and management of our private personal and financial information.

Jaime

High tech criminals.  News stories point out that most cyber criminals are slowly beginning to align themselves with more traditional criminal elements in our society.  It is not surprising that cyber criminals have begun to work with organized crime on an international level.  The reasons for some can be simply explained in economic terms--organized criminal elements pay cyber criminals such as hackers and malware/spyware authors to further their own agendas.

What are the implications of this convergence in criminal behavior?  One solution to counteract this problem is simple:  business and law enforcement dialog and cooperation.  Today more than ever, those charged with the responsibilities of protecting your business organizations, such as CSOs or CISOs, must develop and foster close working relationships with law enforcement.  Law enforcement agencies can provide the support to deal with crimes committed against business entities. 

CxOs:  Don't wait until you have a threat or crime made against your company/organization to call law enforcement.   Develop collaborative peer working relationships with all levels of law enforcement. 

Law enforcement community:  Thank you for your support.  We're here to work with you.

Jaime

Corporate financial scandals have plagued companies globally in the past few years and it is no wonder that some "bad apples" in the executive ranks are leaving a disastrous legacy outside of the business environment and impacting in the lives of younger generations.

During the past few weeks, news stories have carried the account of Kaavya Viswanathan, a 19 year old author, now attending Harvard University, and who was considered a rising author of teen novels.  After proof came to light that Kaavya may have plagiarized the work of another author, her publisher Little, Brown and Co. decided to rescind her lucrative book deal. 

Today, I came across a more disturbing story that shocked me and surprised me.  Raytheon's (RTN:NYSE) CEO William Swanson, became an almost overnight celebrity for publishing a short pamphlet titled, "Swanson's Unwritten Rules of Management".  Swanson has admitted to plagiarizing the thoughts and works of other authors in his pamphlet.  His punishment is that Raytheon will not increase his salary and will force Swanson skip out on his stock awards for this year.  Not a bad punishment when your base salary is reported to be $1.12 million.

Both of these stories are a sad commentary on our society today.  How can today's leaders, senior executives, educators, parents, or each one of us as citizens expect a brighter tomorrow for future generations?  How can we maintain those lofty expectations when we have leaders today consumed by greed, corruption, and dishonesty?  How can the younger generations such as Viswanathan be expected to learn from today's leaders?

Swanson was wrong in plagiarizing material for his pamphlet.  Viswanathan was wrong also in her actions of plagiarizing other authors.  Both failed to be ethical in their actions.

Lessons for leaders:  leadership is a trust and responsibility that should hold us to a higher standard.  As leaders, let us lead by example in our personal and professional lives.  No more excuses--bring back personal responsibility.  Let's live and work with ethics as a core value of all we do.

We need today leaders who live and breath ethics in all they do.  Viswanathan's generation needs to see those leaders lead by example in order to achieve our dream of a better tomorrow.

Jaime

As security executives, we talk about "security: a business enabler".  But what does that really mean?  Does security management by itself enable a business to be more productive or profitable?  The answer is no.   Security management cannot by itself provide the tools, efficiencies, and resources to enable any organization to be more productive or profitable. 

Security management can be a useful ally in helping organizations become more productive and profitable only when integrated and carefully planned alongside with other organizational initiatives.  Some of those vital integration points for security management include:  corporate governance, privacy management, regulatory compliance, financial planning, and business risk management.  When security management becomes an integral part of these touch point areas within an organization, the organization is on a better path to achieving the inherent goals of a strong security management program that helps the organization become more successful.

Jaime

In 2006 there have been a few trends and issues related to security and privacy that are noteworthy.  Here is my short list of security trends and issues that will continue to gain momentum and visibility throughout the rest of the year.

1. Phishing attacks (aka. business identity theft)--phishing is accomplished sending emails to entice consumers to provide personal information to a website pretending to be a legitimate business.  Examples include fraudulent phishing emails that entice bank customers to "log in" and verify their information.  Unsuspecting consumers see the email and the false website which may look 100% exactly like the website for their bank and provide their personal and financial information.  The cyber thieves then capture the customers user-name, password, account information, etc. and proceed to victimize the customer by stealing their information and assets.
2. Insider threats--companies and organizations of all sizes are waking up to the reality that the biggest threats in the future may come from trusted internal sources, namely employees.  As companies are off-shoring certain functions including  internal software development, off-shore call centers for billing and customer services, etc.  there are additional risks which are often overlooked.  Off-shore facilities and staff are not routinely checked for potential information security leaks.  Also the issue of foreign laws, rules, and regulations related to the protection of consumer personal and financial data privacy are not carefully considered by most organizations today.  Companies and organizations will be forced in the coming years to add additional measures of security that must include policies, education, and enforcement to deal with the growing potential for insider threats.
3. Security and Privacy Legislation--News stories of breaches of consumer personal, medical, and financial privacy during 2005 and early 2006 caught the attention of legislative bodies in the United States.  Although several states are now crafting consumer privacy laws to deal with this problem, it is foreseeable that in the short term the United States Congress will probably have to deal with this issue at a federal level. Although Sarbanes-Oxley, HIPAA, GLBA, etc.  will continue to impact companies and organizations across the United States, it is also possible that Congress will continue to create stronger legislation to enhance and further protect the rights of consumers and businesses given the gaps and shortcomings of existing legislation and the increase in sophistication of security and privacy breaches.

Comments and questions are always welcome! 

Jaime