Jaime Chanaga, CISSP, CISA

A drug case that recently went before the Ninth U.S. Circuit Court of Appeals Court in San Francisco, has resulted in a ruling (for the full text of the ruling:  click here - PDF document)  by the court that is going to have a profound legal impact on anyone using the Internet, including e-mail and web browsing.

The court in its ruling compared the fact the government can for example monitor the physical mail a person sends or receives and note the sender's and receiver's mailing address on the outside of a mailed envelope.   In that action the government can monitor patterns of mail traffic without a search warrant, but must get one to open the envelope and read the contents.  The court said the government can monitor in the same way the email address traffic (to and from) a persons email account, without a search warrant.

I'm a law abiding citizen and have nothing to hide from the U.S. Government.  If asked, I would gladly share my email with the government.   There is a proverb my grandparents and parents always mentioned that said:  "He who has done nothing wrong, has nothing to fear from."  However, I do like to maintain a bit of privacy in my e-mail communications, considering e-mail is an insecure method for receiving and sending information.  As personal information security risks grow, I'd rather have my personal e-mails encrypted from prying eyes of potential data thieves.

Regardless of whether the government can read my email without a search warrant, as a consumer and information security professional, I try to do my part to protect my personal email.   That's why I try to use encryption technologies to secure my e-mail communications.   My personal encryption tool is PGP Desktop 9.6.2.    Please forgive me as I'm not here to share a product endorsement.  What I'm trying to share is that anyone can do something to protect the confidentiality of their online communications.  I took action to try and protect my personal email communications.  What have you done today to protect your e-mail communications? 

Here are some solutions to encrypt your e-mail communications you may wish to explore:

• OpenPGP - www.openpgp.org
• PGP - www.pgp.com
• Hush Mail - www.hushmail.com
• ZixCorp - http://www.zixcorp.com/solutions/emailencryption.php

[Disclaimer:  As of July 17, 2007, neither myself or my firm, The CSO Board LLC, have no conflict of interest (financial or other) with any of the above mentioned companies.  We have no financial or other incentive to mention these companies or organizations.] 

Although this court ruling changes the game a bit, so too must society adapt to the technological changes and challenges.   I challenge you to do something today to protect the confidentiality and security of your online and e-mail communications.

For further reading:

Keep it Classified: E-mail Encryption for Small Business

Lifehacker: How to encrypt your email

WashingtonPost:  E-mail at Risk? Cover It With Encryption

Sometimes, I'll read a news story that makes me feel both angry and very concerned for our future.  The Washington Post published a story (http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501945_pf.html) on July 6th, 2007 that has shaken my beliefs.

A group of three British residents sympathetic to the global jihadist terrorist movement used a set of tools including computer viruses, phishing (creating fake sites emulating legitimate web sites like Ebay.com, etc.) web sites (they created) to steal credit cards from unsuspecting victims.  (For more information on phishing attacks read: http://en.wikipedia.org/wiki/Phishing)

They also used Internet bulletin board forums and underground chat rooms where they shared information including stolen credit card numbers, computer hacking, bomb making, and videos of beheadings and suicide bombings in the current conflict in Iraq.

In an attempt to hide their actions, the men also attempted to launder the money from the stolen credit cards through online gambling operations.   The stolen credit cards were also used to fund online purchases of supplies and equipment that the men intended to provide to terrorists in theaters of conflict.

The statistics of their crime are alarming.  One of the computers seized as part of the investigation into the activities of these men, has been found to contain 37,000 stolen credit card numbers and detailed information on the legitimate credit card holders including names, dates of birth, credit balances and limits.

The information technology (IT) and security industry have many technical countermeasures for combating the risks of email spam, phishing web sites, and protecting credit card information.  However, as technology professionals we know how to combat those issues, but are we missing the bigger picture?

We constantly read news stories of companies that have fallen victim to their own actions and have lost credit card information.  Yet, it seems when companies do suffer electronic data breaches for credit card information, the issue is relegated to a technical issue and not one with potential broader implications.  Some organizations see those security breaches as a financial problem.  But that vision is myopic also.

Over the past 10 years as I have seen the information security profession and industry mature, I've always felt that both the IT and security fields will increasingly play a large role in the safety and security of our communities and countries.   In the news story I've shared with you, three men were able to steal credit card numbers and the identities of countless people, many of whom will never truly know how their information could have been used to fund the activities of terrorist and terrorist sympathizers.

But where does the responsibility lie?  Is it only up to banks, financial institutions, and companies to protect our personal information?   I would challenge anyone who says that 100% of the responsibility lies with banks and financial institutions or businesses to protect your and my personal information.   

Consumers must step up to the plate and be proactive.  How many of you as consumers know what spam email, phishing attacks, and computer viruses are?   How many of you as consumers know what to do to protect yourself from those risks?  Education in regards to these risks will help you protect your personal and financial information.

Don't think for a moment that you as an individual consumer cannot have an impact on preventing groups like terrorists and other criminal elements of society from continuing their actions.  Yes, you and I can help make it harder for criminal elements of society from harming us all.   I challenge each and everyone of you to go ahead protect your personal information and make a valuable contribution to the world in the process.

One final thought for businesses.  You too have a responsibility to prevent misuse of the personal and financial information we as consumers, clients, and employees have entrusted to you.   Please look beyond the technical and financial impact of ignoring the risks when failing to protect our personal and financial information.   Please stop making information security an afterthought.

As consumers and businesses we may never be able to change the mentality of criminal elements of society like terrorists.  But we can make a difference.

"1. Think differently
Don’t be afraid of challenging the status-quo.  True excellence as a security executive and leader demands you are willing to think differently.  Dare to think big and differently! "

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

When I shared the presentation "Leadership Lessons for Security Excellence", here on my blog a few weeks ago, I received many responses.  Thank you to everyone for sharing your thoughts and providing feedback.

One of those responses, an email from a friend and colleague really moved me.   My friend shared  that after working for 20 plus years in his particular industry, he felt his organization and industry didn't reward employees for thinking differently.   Today, my friend is looking forward to leaving his organization in order to be able to explore this and other interests.   

This made me think, why don't organizations reward employees for having the courage to think differently?   However, those organizations that do reward employees are highly successful.

Allow me to illustrate.   Google, who is considered one of the most admired companies, is so admired in part because Google rewards employees for being creative and thinking differently.   Rewarding employees for thinking differently is not the only factor contributing to Google's financial performance.   However in the long run, I'm willing to bet that Google will be more successful than their competitors in terms of employee satisfaction, performance, and financial bottom line by allowing their employees to think differently.

In December 2004, as a CISO for a large non-profit health care system, I was invited to participate on a CISO/CSO panel presentation during the InfoSecurity Conference in New York City at the Jacob K. Javits Convention Center.   This panel was comprised of CISOs/CSOs that included:

• Larry Brock, CISO, DuPont
• Mary Ann-Davidson, CSO, Oracle
• Chris Hoff, CISO, WesCorp
• Gerhard Eschelbeck, CTO, Qualys

Pete Lindstrom, Director of Spire Security was the moderator for the event.  During our panel discussion of how organizations could best adapt to the threats of zero-day based security risks, I took the opportunity to share one of the ways we, as a health care system, took action and thought differently.  Let me share with you what I shared then.

As a CISO in health care, I'd noticed that most health care information technology vendors had unclear or non-existent secure coding practices integrated into their software application development life cycles (SDLCs).  At the health care system were I was working at the time, we decided in conjunction with the Information Technology department to mandate detailed questions and review process into all RFPs for vendor evaluations.   We questioned vendors in detail on their secure coding practices contained in their SDLCs .   

While today most information security breaches occur at the application software layer, in 2004 most organizations (especially in the health care industry!!!) were not thinking about mitigating risks from that perspective.  In this process, by being willing to question and make vendors accountable for secure coding practices in their SDLCs, we were miles ahead of most competitors in mitigating risks, including zero-day based risks!

I challenge you to think differently.  Dare to think differently in  your work and leadership.  You may be surprised by the results.  Wishing you the best on your new vision to think differently.

On 20-June-2007, I participated as a keynote speaker at the Security Excellence Day Conference in Milan, Italy at the invitation of SanDisk (www.sandisk.com) and NSEC Srl (www.nsec.it).

The invitation only event for C-level executives in Europe was co-sponsored by IBM, Microsoft, SanDisk, Applied Identity, and NSEC Srl.  The focus of the conference was to discuss the future direction and trends for information security.  Speakers included:

• Chris Stakutis, CTO of Tivoli CDP – IBM
• Feliciano Intini, Chief Security Advisor to Microsoft Italia (blog)
• Mark Ashida, Partner at OVP Ventures
• Jaime Chanaga, CEO of The CSO Board

My presentation entitled “Leadership Principles for Security Excellence” focused on the key “soft” skills top security executives often overlook which can help enhance their leadership performance.  Here is a brief summary of the presentation and the accompanying slide deck.

Leadership Principles for SecurityExcellence

1. Think differently
Don’t be afraid of challenging the status-quo.  True excellence as a security executive and leader demands you are willing to think differently.  Dare to think big and differently!

2. Learn from failure
Failure is a roadmap to success.  Learn from your failures in security management and from the mistakes of others.  Don’t be afraid of taking risks, failing, and then learning from failure.  Thomas Edison never gave up, even after 10,000 failures when trying to invent the incandescent light bulb.  Have you failed 10,000 times in your security management leadership?  If not, then don’t give up!  Learn from failure!

3. Be innovative
Innovation in security management is critical to achieving excellence.  Don’t be afraid to try new ways to protect your IT assets and organizations.   Those people determined to break your information security are using innovation and creativity to find new ways to breach your information security defenses. Don’t be afraid to innovate and be creative in protecting your information assets and organizations.

4. Value people
Too often security executives fail in their leadership fail to forget that building relationships and trust with people are the secret to long term success.  Learn to build relationships based on trust with your subordinates, peers, and partners to enhance your leadership performance.

5. Lead with integrity
Personal and professional integrity should be at the core of a security leader’s beliefs and actions.  In today’s business climate, unfortunately corporate scandals show some executives sacrificing their personal and professional ethics.  True excellence and leadership demands executives hold strong personal and professional ethical standards.

6. Change the world
A result of adopting some or all of these Leadership Principles for SecurityExcellence will allow you to change the world around you.  As a leader you will have a noticeable positive impact on your subordinates, peers, partners, your organization, and your industry—your world.

I'd like to extend my sincere thanks to SanDisk and NSEC for inviting me to share at this event.  I welcome comments from you my blog reader on this presentation.

Pictures of the event
http://www.flickr.com/photos/nsec/sets/72157600464937201/

NSEC Press Release
Download PR_NSEC-Security_Ecellence_Day.pdf

NSEC Blog - Thank You