I hope the title of this post isn’t what John Sawyer is suggesting in his recent blog. I don’t think he really means to say that we shouldn’t attempt to protect the data that has been entrusted to us in our IT jobs. I’m hoping he means at the same time we attempt to protect the data, we should also be proactive in our thought processes to prepare for a breach.

I do agree wholeheartedly with the sentiment of this quote:

Can you imagine walking into your CIO or CISO’s office and telling them that they need to come to grips with the fact that the security mechanisms they have spent tens to hundreds of thousands of dollars on will fail? That’s not a conversation I would want to have, but it is the mindset that needs to be adopted and built into policy and security mechanisms as they are designed and deployed” (Sawyer, 2008, ¶ 3).

In fact, if the CIO or CISO isn’t aware that the security mechanisms can (and probably will) fail, he or she shouldn’t be in that position in the first place. Just as we prepare for the worst in disaster recovery and business continuity planning, we should prepare for the worst in security and data breaches. That way, when (or if) it does happen, the company can handle the situation, and move on, reducing the amount of stress and anxiety over the situation, allowing employees to get back to the job at hand.

— Sawyer, John H. (2008, September 10). Inevitability of Failure. Evil Bits.


Three articles from recently caught my attention and made me wonder, why don’t we think anymore? I mean, I know we all “think“, but serious cognitive thought about situations seems to be a lost art.

For example, Kelly Higgins describes a situation where bank records involving customers in stock option programs as well as other banking activity were lost. Now that is somewhat understandable when you use a third-party to store the tapes as I have in the past. But this is the part of the article that caught my attention, “The unencrypted storage tapes…” (Higgins, 2008, ¶ 2). WAIT!!!  Unencrypted?!?! Why would you want to risk the exposure of sensitive personal information by not encrypting the backup tapes? In my job I deal with personal health information (PHI), A.K.A. HIPAA governed information. I would NEVER send data across the Internet to our external backup site or do a tape backup without encrypting the data I’m putting on the tape. I’ve had 2 people fired for transmitting PHI via e-mail to an employee working from home.

Then the article by John Sawyer about a microSD card he found on the street and what was on it. Word and Excel documents…okay. Probably information the company wouldn’t want to be released, but it’s probably low-risk and low-threat type data. But porn movies? And not only that, but homemade porn movies also? I mean seriously! Do people really want to risk their jobs with porn on their phones? And hopefully not a company supplied phone.

And then this gem by Tom Wilson. How did the virus get on the computers in the Space Station? Yep, a virus made it to outerspace folks. Someone is suggesting it probably made it there on a USB thumb drive. Probably. But they do transmit e-mail via KU band transmissions back and forth to the station. I guess now we’re going to have to start frisking astronauts before they get on the rocket to make sure they don’t have any undeclared thumb drives.

So, the common thread on these stories is why don’t people think? When you look back over the past couple of years of breach reports, you’ll see stories about someone leaving a CD full of unencrypted PHI in the backseat pocket of an airplane. Consultants and employees having their laptops stolen from cars and restaurants, and the data stored on the notebook is not secured. And now 12 million people have had their personal financial information exposed because someone didn’t encrypt a backup tape. These are easy to prevent situations, but why don’t we think? Are we naive enough to think that “it won’t happen to me?” I think that has been disproved enough times. Which is why the number of computers reported as being a member of a botnet has quadrupled over the past few months!

It seems to be to be a pretty simple situation. “I have health related data on my notebook, or on the CD, so I better make sure it’s either encrypted, or I need to be EXTREMELY careful with it.” Isn’t that the thought that should be going through your mind? Wouldn’t you want someone who was working with your personal information to exercise the same restraint and concern to make sure your data is secured? Of course you would. You’d be the first to scream when your data was released. But why don’t we show that same respect toward others? Why don’t we think?

— Higgins, Kelly Jackson. (2008, August 29). Bank’s Lost Backup Tapes Contained IDs of 12 Million Clients. Dark Reading.

— Sawyer, John H. (2008, August 29). Dangers of Mixing Business and Pleasure. Dark Reading.

— Wilson, Tom. (2008, August 29). Who Infected the International Space Station? Dark Reading.

Or should I say, is it really your parents that are to blame? Here’s an interesting article from Dark Reading that cites a research study on spam. A researcher analyzed 8.9 million email messages at an ISP in the United Kingdom, and found that the first letter of your email address caused a significant difference in the quantity of spam.

[The researcher] found that the email addresses that began with “A” received 35 percent spam in their inboxes, while “Z’s” got about 20 percent — after sorting out real emails versus invalid ones that had likely been generated by a spamming tool. Clayton says it’s likely that spammers using dictionary attacks could be the cause of this disproportionate distribution of spam” (Higgins, 2008, ¶ 3).

So see, it’s not your pattern of behavior on the Internet, or the fact that some of your friends don’t maintain a current anti-virus program on their computer, that is to blame, it’s your parents. If they have named you Quentin instead of Allen, you wouldn’t have as much spam.

— Higgins, Kelly Jackson. (2008, August 28). Report: Email Address Dictates Spam Volume. Dark Reading.

Tom Davenport raises a good question in his post on the democratization of healthcare costs and whether physicians should be online. Democratization of knowledge is basically a fancy word that means the knowledge is out there for us to find and use, all we have to do is search. Witness WebMD. You can get fairly indepth coverage of virtually all illnesses and diseases on their site. If we arrive at the physicians office with a good idea of what is wrong with us, why should we have to go into the office anyway…with the caveat that the physician has a medical history on us and has “seen” us previously.

…since you only get about 7 minutes on average of face-to-face time with your doc, it’s not as if we are giving up an intimate, in-depth relationship. No muss, no fuss, no bricks-and-mortar, and the insurance company gets by very cheaply” (Davenport, 2008, ¶ 7).

This is so true in today’s medical community. The insurance companies are constantly squeezing physicians (as well as other health care practitioners) in reimbursement rates. This seems a logical next step for the practice of medicine, provided the physician has a good medical history on any patient that is treated in this manner. I don’t know enough about the makeup of a traditional family practitioners day to know how many of those visits could be accomplished online, but if a nurse practitioner oversees most visits anyway and prescribes medication, why not let some of that interaction happen online?

This also seems to be a very good argument for electronic health records (EHR’s) that have languished in most implementations.

— Davenport, Tom. (2008, August 19). “Is It Time for Your Doctor to Get Online?” Harvard Business.

According to Val Rahamani, general manager of IBM’s Internet Security Systems, “The security business has no future” (¶ 2). The rapid growth of threats recently, as well as reports that 90% of websites are vulnerable, has made me wonder if we, as IT people, can keep up. I do think Rahamani has it right with this statement:

“The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win” (¶ 3).

But what is the alternative? According to Rahamani, “security companies must sell their customers solutions that assume ‘everyone is infected’ so that they can safely do business, which makes a business sustainable” (¶ 5). It will be interesting to see what IBM ISS does bring out in the future. But throwing this challenge out at RSA Conference 2008, it better be a good solution.

— Higgins, K. J. (2008, April 10). IBM: The Security Business ‘Has No Future’. Dark Reading.

Amazon is definitely good at disruptive business practices. It’s first round of offering books over the Internet has changed book buying for many of us. But now, it’s offering a new way of buying that doesn’t involve the web at all. A NY Times article describes how you can now text-message the UPC or ISBN of an item to Amazon which responds with two prices for that item. If you want either one, you can text back a 1 or a 2, or you can text ‘M’ back and get more options.

Amazon TextBuyIt, which launched late Tuesday, lets people text the name of a product, its description or its UPC or ISBN to 262966 (that’s ”Amazon” on the keypad) from anywhere their cell phones work — including from inside physical stores” (¶ 2).

Retailers better look out, because now shoppers are going to be even more prepared to negotiate the price posted on an item when they go shopping. This situation reminded me of a previous article on NY Times about how people are negotiating pricing at large electronics stores, using quotes from web sites to get the best deal they can. Now people don’t even need to negotiate prior to showing up in the store. And retailers are going to have about 5 minutes to make a deal or lose it to Amazon. And I’m sure other internet sites will implement similar technology before too long…unless Amazon has a patent on it. 🙂

It also makes me wonder how many retailers are investigating the use of cellular disrupter technology today. 🙂

— Associated Press. (2008, April 2). Amazon Launches Text-Message Shopping. New York Times.

— Richtel, M. (2008, March 23). Even at Megastores, Hagglers Find No Price Is Set in Stone. New York Times.

This story is something IT departments should take to heart:

According to a report issued yesterday by WhiteHat Security, nine out of 10 Websites still have at least one vulnerability that attackers could exploit. On average, there are about seven flaws on each site studied” (¶ 2).

I have to wonder though if it is due to time-constrained employees, or the fact that technology is moving so fast that it is hard for the normal employee to keep up with work as well as learning about the new threats.

Cross-site scripting (XSS) is still the top category of vulnerabilities, appearing in approximately 70 percent of Websites, WhiteHat says. But the researchers are predicting that cross-site request forgery (CSRF) will eventually take the No. 2 spot behind XSS” (¶ 4).

This is why I absolutely NEVER use Internet Explorer and I have NoScript installed on every version of my Firefox browser. I’ve run across normal e-commerce sites that NoScript blocked. Whether the XSS script was there on purpose or the site had been hacked I never tried to find out, I just left the site.

— Wilson, T. (2008, March 25). 90% of Sites Still Vulnerable. Dark Reading.

Next Page »