eCrime Watch

Security is a Process...Not a State (Revisited)

2008-04-19T13:55:00.000-07:00

It is second nature to security professionals that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.The breach of sensitive information is different than a breach of security in regard to physical items. For example, when a laptop is stolen it is no longer available for use. In contrast, when data is stolen it is often the case that an instance (a copy) of that data is in the possession of an unauthorized person. However, the original data is probably still available to the owner. There are many implications resulting from this difference. Security professionals discuss this in terms of operational risk versus organizational risk. The actual loss of data derives not from the theft itself, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security trumps the actual state of security at any one time. A formal program of security, even if it is a low-budget, understated program, is imperative for most companies today. If the loss results from bad press and litigation then the defense is the ability to demonstrate a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan. Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.

The Virtual Perimeter in the Age of Convergence

2007-10-23T22:30:00.001-07:00

Security is essentially the ancient art of protecting the perimeter. Sometimes ancient, and even recent-day, technologies cannot adequately protect the actual exterior perimeter. For such instances, we recommend establishing a virtual perimeter inside the exterior one. This virtual perimeter is created by delineating a line of pixels in the image of one or more digital cameras. This line of pixels can form the interior, virtual perimeter. The cameras feed the video signal to a server performing analysis of the video images. The server is looking for specific objects in the images that have certain attributes associated with humans, such as a neck and shoulders. When such objects appear near the virtual perimeter and approach that perimeter, the server issues an alert to the security force. A guard carries a handheld device which displays the object and tracks its movement as the guard approaches the intruder.

This solution requires technical sophistication to design and deploy, but it is a perfect example of a security solution that is available as a result of the convergence of certain technologies.

Beyond Convergence

2007-06-17T20:43:00.000-07:00

I get dozens of emails each week on "convergence." I gave the keynote address at Security Summit 2007 in Los Angeles and the title of the Summit was: Convergence: The Next Horizon. It is safe to say that convergence is the number one topic in the security field. The industry is experiencing a major transformation. However, the focus on convergence is misplaced. I believe it derives from the perspective that as security devices become network peripherals, security professionals are focused on the point of convergence. The problem with this focus, is that it results in under achieving. Such a focus leads to security devices operating on Ethernet networks and doing providing the same functions as those same devices provided previously, when they were standalone electronic systems. I encourage all security systems manufacturers and integrators to look beyond convergence. This longer-range focus changes the objective from gain equivalent functionality to engineering the network, which means optimizing it, to protect people, facilities, data and prevent fraud. Looking beyond convergence helps expand the context to achieve a higher level of protection by using the benefits that become available through convergence.

Please let me know your thoughts on this topic.

Industry Report Points to Ollivier Corporation

2007-03-03T16:20:00.000-08:00

Ray Bernard is an industry analyst who I have known for about four years. When I was new to the security industry, he was one of the first security consultants whose eyes lit up when he and I talked about the integration of physical and data security. He has gone on to create an incisive new report on the industry.

He talks about such projects as the national retailer (over 300,000 employees) deploying 150,000 IP cameras globally, as an incremental addition to their global deployment of IP Telephony. IP Telephony (VoIP) replaces analog phones and connect directly to a network, getting both power and communication connectivity over Ethernet-based networks.

Very few discussions of convergence in the security industry use "installation" as an example. Ray does in his report. He talks about the installer preparing the IP-based cameras in the same manner as IP-based phones. Both are put in similar boxes, prior to distributing to regional offices, with the same information barcodes on the boxes and with network cable location numbers. A swipe of the computerized barcode scanner displays exactly where a phone or camera is to go along with other installation information. This enables an integrator to reduce the typical per-camera installation time from 3 hours to 30 minutes. This is a classic IT application.

Ray then points out that Ollivier Corporation is using common IT installation strategies for its security deployments. He reports that customers want the benefit of IT expertise from their security integrator and that Ollivier Corporation is way out in front of other physical security integrators. I encourage you to learn more about Mr. Bernard's industry report.

Guards, Dogs and Technology

2007-02-01T21:46:00.000-08:00

I am still surprised how the discussion of balancing a guard force and technology-based security systems is seldom discussed. It seems as though the discussions of how to deploy each of these is done in isolation of the other. Here are some of my thoughts. Now that security devices, such as cameras and access control readers are peripherals on the network, they are much more intelligent than just a couple of years ago. They are especially intelligent if the network is engineered to take advantage of communication between the devices and with the data available on the network. It is this communication that enables Eye on Cash, GPS Logon, Virtual Perimeters, Virtual Mantrap, CRM Secure and other solutions developed by Ollivier Corporation to be available at low cost in today's market.

As intelligent as these solutions are, they still require the judgment provided by a competent guard force. These solutions sort through hundreds of events to create alerts and alarms that are rendered important or meaningless by the guard force. The guard force is the comprised of first responders. What this means is that the guard force's value and contribution is significantly increased by relegating monitoring and surveillance to devices. I have been told by guard service organizations that they make more money deploying intelligent guards to monitor and assess the output of computer-based security systems than they do selling low-paid guards.

Meshing Surveillance

2006-12-29T12:48:00.000-08:00

I am working with residential building owners in a very high crime area of Los Angeles. We intend to cover the entire 5 square mile area with IP-based surveillance cameras. The trick is that each of the buildings in this area is owned by individuals, acting in a loose confederation as property owners. They require high quality cameras because the ambient lighting will vary dramatically and a high level of visual acuity will assist in making proper identifications.

While the cameras must be high quality the infrastructure must be low cost, yet tie each camera into the network.

New mesh network technology dramatically reduces the cost and planning required to improve infrastructure and therefore creates a platform for higher functioning cameras. This configuration is working well in a few cities and we hope to apply it to our situation in Los Angeles. If you have any comments, please contact me at joelrakow@olliviercorp.com.

Security is a Process...Not a State

2006-11-16T08:01:00.000-08:00

It is second nature to most of us that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.

The breach of sensitive information is different than a breach of security in regard to physical items and is discussed more than once in previous postings on this blog. The actual loss derives not from the breach, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security must be formalized. If the loss results from bad press and litigation then the defense is the ability to demonstrate the a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan.

Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.

Access Control Moving to IT?

2006-11-16T07:58:00.000-08:00

Two years ago, physical security appeared to be the sole domain of the traditional security organization. Maybe it is me, but it seems that in small and large organizations alike, I am seeing the IT organization as the prime mover in access control... and often surveillance. In the just the last week, I have visited a hosting company for 40,000 realtors, the company responsible for 80% of all transmissions of digital cinema films and one of the oldest large residential communities in Los Angeles.

In each case, the Technology Director, the Network Administrator or Facilities Technician (in the IT department) has been the primary point of contact. Two of these companies are part of very large organizations that have traditional security, yet it is as though they do not exist. What does this mean?

It seems to be the beginning of a trend. It seems to me that while the physical security professionals get comfortable with the concept of convergence, the IT professionals are filling the void of indecision. In my opinion, all that has to happen for physical security to re-establish its rightful place is to understand that IT wants to be the custodian of the access control system and they want security to be the owner of the data. This can be an easy arrangement to negotiate and one that serves both professional communities.

When Cost of Smartcards is Too High

2006-09-26T08:15:00.000-07:00

Very few companies will want to bear the high cost of re-badging their entire workforce. And, why should they? Integrating physical and data security is the desired goal. Smartcards represent a technology approach to achieving that goal. Integration can also be achieved through directory services (e.g. Active directory, LDAP) without having to re-badge. Here is how I advise my clients when they are confronted with budget constraints: i) Identify the assets that represent the greatest risk (e.g. top security government work); ii) Provide smartcards to the people who need to access those assets; iii) Protect all other assets using directory services. This is a practical approach to achieve convergence between physical and data security.

Three Hundred Data Breaches

2006-09-25T23:03:00.000-07:00

We hear a lot about data breaches. It seems as though one is announced nearly every week. Well, it turns out that between February 2005 and July 2006 more than 300 data breaches were reported. That is almost 20 a week. Click on the link to see a listing of these data breaches:
http://www.privacyrights.org/ar/ChronDataBreaches.htm

It is useful to remember that we hear very little about the outcomes of these breaches. The lawsuits and penalties rarely appear in the press, yet the general counsel or representing attorneys know that the cost of the breach will occur in the cost of litigation, the penalties and shareholder value.

Value Proposition for Covergance - Free ROI Tool

2006-07-01T22:41:00.000-07:00

Using smartcards is one way to integrate physical and data security. Using directory services (e.g. Active Directory, LDAP) is another. In either case, many security directors have discussed with me how this convergence might be financially justified during this budgeting season. This is becoming such a widespread concern that I have initiated the development of a sophisticated eCrime ROI Tool that links several worksheets into a consolidated value proposition. This is one of the advantages of belonging to a company with over 500 CFOs.

So far, it seems quite easy to justify a smartcard initiative if the company also sells security products. When this is the case, it is clear that aligning the customer-facing product strategy with security operations will both enhance revenue and reduce risks. This helps the numbers favor integrating security, even with the more expensive smartcards. When this situation is not the case, then it helps to explore applications, in addition to access control, that can be added to the smartcards. Such applications might be for travel expenses, credit union, cafeteria access, uniforms and equipment accounts and so on.

We have found that expenses related to lawsuits can be a good source of cost justification, especially when we look at how they prevent lawsuits, decrease the potential for awards going to the other party and increase the potential for winning awards. In a related manner, consider the costs related to investigations. A major value in convergence is its audit ability: You should be able to create very nice support when you look at the time and cost of tracking down events that occur on physical space and on the network. These systems are usually disparate, record events with clocks on slightly different time and have user IDs that are often different. They are a quagmire of line items that take a lot of time to sort through.

The ROI Tool is easy to use and available upon request. All I ask is that after you use it, you provide comments on how it worked and how you would like to see it improved. I am glad to share this ROI Tool. Simply send me an email (joelrakow@olliviercorp.com) and I will send it you.

Convergence: The Whole Story

2006-05-20T15:17:00.000-07:00

I recently attended a security conference where convergence was a major topic. To my surprise and disappointment, convergence sometimes means using the IT infrastructure to run security applications such as access control and surveillance. What a small view of an important topic!

This view of convergence grounded in the lowest level of operational security: It is satisfied with incremental change that may or may not lead to a direct path of increasing the security of critical assets. This view operates as though automating processes is an end in itself. It runs headlong into the age old IT conundrum of automating a broken process...thereby making things worse.

We all agree, I am sure, that the processes between physical security and data security are so broken that, for the most part, they do not even exist. I encourage all participants in the discussion of convergence between physical and data security to make sure that the processes around security are fixed before or at the same time as the security systems are implemented on the IT infrastructure. That way, you can avoid making the same mistake our IT predecessors made in the early 60's and 70's. Let's learn from our mistakes so that our effort increases the level of protection.

Security Activities and Operational Risk

2006-04-14T22:28:00.000-07:00

I see a lot of IT security organizations engaging in wide range of security "activities". I use this term to distinguish these companies from the very rare "program" of IT security. IT security professionals are often guilty of identifying a risk and then finding a tool that addresses that risk. They fail to start with the assets that need protection and the identification of each asset's vulnerabilities.

IT professionals can be excused in doing this because security is really a new discipline for IT. Ten years ago, it was difficult to find an IT security professional. Although they are much more plentiful now, they often lack a solid foundation in security processes. Without the initial groundwork of an asset/risk assessment, IT security activities are highly random and seldom contextualized or programmatic. This lack of foundational security processes leads IT security efforts into the corporate black hole of "operational security".

Please see my post on February 22 about the distinction between operational risk and organizational risk. Security data is different from security computer hardware or other physical security. The operational risk associated with data is very minor while the organizational risk is quite high. This is exactly the inverse of most physical security issues.

Weeding Out the Unprepared.

2006-03-29T10:52:00.000-08:00

Ongoing process improvement is an often overlooked and important element of every security program. It is not enough to identify a vulnerability and implement remediation, if you do not also ensure that the asset and risk assessment is all reviewed again on a regular schedule. This is often considered the mark of a true security program...rather a collection of security activities. If you work in a regulated industry or submit to other types of audits, ongoing process improvement is almost always one of the "weeder" items on the checklist. Remember college, where there was always that one course that weeded out the less talented students. The same applies to ongoing process improvement, the audit checklist and security.

Why Convergence?

2006-03-05T20:52:00.000-08:00

Physical security and data security organizations typically work independently of each other. You know this to be true since you see at every company you have ever worked at, unless it is IBM, Microsoft and just a handful of others. Well, let's take a look at some obvious security events that never get detected in the typical (unconverged) environment:
1. Bob does not badge in to work today, but someone accesses data and applications normally used by Bob. This is probably not a security event in your company.
2. Bob gets up from his computer workstation, leaves the building to go home for the night. He even badges out. Bob’s computer continues to run just as though he went down the hall to use the restroom. Would this be true at your company?
3. Bob works in customer support, yet he uses the computers his department to access files that are normally accesses only by people in accounting. These two departments are on separate floors of the building. Would this be a security event in your organization?

These three examples illustrate how the separation of physical security and data security creates a set of vulnerabilities that ought to embarrass any security organization that claims to have performed a risk assessment

Sopranos Go After the Data

2006-03-05T18:59:00.000-08:00

Have you every watched the Sapranos on television? Or , any mafia movie for that matter? They seem to always be hijacking trucks: What are they after? Well, they steal cigarettes, razor blades, electronics: Things that are easily converted into cash. These are called fungible items.

In today's world, financial identities are fungible items. A good financial identity will get $2 on the open Internet. Moreover, there are a number of scams that allow less than $10,000 to be converted into $1.5 million with virtually no risk of being caught.

I am not writing this to encourage any of you to get into the Internet scam business. Rather, I write this to underscore why so many businesses and individuals are under very intense attack over those financial identities. These attacks are increasing and will be looking for new targets and new victims.

A Meeting of Two Cultures with Identical Goals

2006-02-26T11:51:00.000-08:00

I recently conducted a joint security discussion at a $5 billion beverage company. I moderated the discussion, which was between the physical security organization and the data security organization. The physical security personnel fit the stereotype of burly, blue collar and rough hewn language skills. The data security folks also fit their stereotype: brainy and articulate. Yet, during the meeting, it became clear that the physical security folks had a lot to offer the IT people. It is true, the physical security folks might be able to persuade, but it was clear to me and to the IT people that physical and data security can and should work together.

We found that physical security had skills in conducting risk-based assessments that were sorely lacking in the IT people. We also discovered that the physical security people would immediately view change procedures as an area of high vulnerability. Yet, such procedures at this company were incomplete and inadequate. Finally, the parties reached consensus that third-party oversight might benefit IT's security efforts.

Convergence is a term used to imply the integration of physical and data security. Most people think this means the integration of entry control systems for facilities and the computer network. In the case of this global company, convergence means integrating the two organizations in a way that allows both to contribute to improving the protection of assets.

Operational Risk and Organizational Risk

2006-02-25T19:02:00.000-08:00

Electronic crime has increased the organizational risk that corporations face. With physical crime operations tend to bear the greatest risk. Six or seven years ago organizations could focus on securing its operations in order to deal with it greatest risk. If a truckload of product were stolen, the loss would often be the company's greatest exposure. The Internet has initiated such changes as: i) Financial identities can be obtained (i.e. stolen) and sold by people thousands of miles away; ii) Laws have been implemented to protect consumers and employees from having their identities stolen as a result of corporate negligence; and iii) Penalties and sanctions can, when made public, result in a loss of approximately 17% of a corporation's market capitalization for at least a year following the breach, in addition to damages. This loss of shareholder value along with a loss by the brand makes the organizational risk greater than that borne by the operations. The corporation suffers very little, it at all, when its customers' financial identities are purloined...at least the direct loss is very little. The litigation that follows is now the major risk factor. A competent security plan protects the corporation from this organizational risk.

Aligning Risk with Security Solutions

2005-12-16T10:19:00.000-08:00

IT organizations almost never conduct a risk assessment before they implement security. How smart is that? Well, not very. The standard practice in, say, configuring a firewall is to see what traffic comes through and then configure it to block that traffic. Wait for and block the next set of traffic to come and then repeat this process until satisfied.

Think about securing your house in the same manner: Well, people walk in front of the building so you put locks on the front door. People walk by and look in the windows so you lock the front windows. The garage door is left open at times and people walk by, so you lock the door from the garage to the house. Let's say that is the extent of traffic for about a week. Is your house secure? Hardly...and neither are IT systems, and for the very same reason.

I actively advocate having physical security people work with IT people in conducting risk assessments. Physical security people have risk-based assessments etched into their DNA. They can provide a lot of guidance to IT people when it comes to securing IT systems.

I like to think of this as one step in integrating physical and data security: This is also call convergence in security circles. I exhort my clients to integrate the two organizations, physical and data security, before they try to integrate systems such as access controls. IT learned many years ago that automating a bad procedure only makes the matter worse: Integrating the IT systems of physical and data systems before the organizations are working together will also make the system worse.

In addition to conducting risk-based assessments, I encourage my clients to have physical security provide guidance in development enforceable policies for IT change controls and to provide third-party oversight when those change procedures are being performed. Collaboration in these three areas represents a satisfactory prerequisite to integrating various access control systems.

Securing the Corporation

2005-12-16T09:28:00.000-08:00

Ask most data security professionals how to secure the assets of a company: They will talk about operational security. They will discuss firewalls; intrusion prevention and the like. They wrongly focus on the loss of data and other operational security matters. Yet, they will also tell you that they can never be 100% security. At the same time, they nearly always fail to also discuss the biggest risk for a corporation...and that is often the legal aftermath of a data loss. The legal entanglements will often result in far more financial loss than the actual damages, especially a loss of data. I think this is a holdover from physical security when the actual loss was often the majority of the material damages. This is simply not the case in today's world of data loss. So, how do you protect against this?

I like to distinguish operational security from organizational security. Securing a corporation requires both operational security and organizational security. At the minimum, organizational security is comprised of: i) Some kind of oversight or governance; ii) A formal security plan; and, iii) Progress against than plan. While the devil is indeed in the details, these three elements typically protect a corporation from its greatest risk. Moreover, it can be implemented often within 30 to 60 days. I often call it the fast track to compliance. With an active oversight program, companies can actually extend their remediation efforts and be more systematic and therefore economical in deploying their operational security.

I strongly advocate organizational and operational security programs as joint initiatives.

Integrating Physical and Data Security for Money

2005-12-16T08:57:00.000-08:00

I continue to bang the drum for integrating physical and data security. It makes too much sense not to. Not only does it dramatically improve security, make electronic crime much more difficult to perpetrate, it is even inexpensive. Think of the situation in this way:

A company with 3,000 employees in three buildings has to issue changes orders for every new employee, every departing employee and every employee who relocates in the buildings. This means HR must document the changes, physical security must update its various (one for each building) access control lists, and IT must modify the server configuration. This 300 change requests times three, 900 per month, assuming 10% of the employees have change monthly. By the way, I hear that Cisco has 10,000 change requests a day! They manage those requests with 5 people. You know how: They have integrated their systems.

Integrating physical access control and computer accounts for our hypothetical corporation will provide a full return on its investment (estimated at $160,000) in 16 months, based on compensation levels in Los Angeles circa 2004.

Why isn't this being done across all corporations? I maintain that the obstacle is simply the cultural gap between physical security organizations and the information technology organizations. I spend a good deal of my professional time explaining and showing physical security personnel how to bridge the gap with IT. I identify and describe how to integrate with IT even before the access control systems are integrated.

Integrating access control systems and the computer network will produce tremendous gains in both security and productivity. If Cisco can process 10,000 change requests a day with five people then certainly access control can become the low-level administrative task it should be.

Identity or Transaction

2005-12-15T08:41:00.000-08:00

Identity management is one of the most obvious places to focus security attention, but it may not be the most economical. This is especially true for a large corporation that needs to protect shareholder value and may be the object of attack from dozens of unknown sources. Having said that, identity management has experienced a number of improvements in recent years.

I was in the middle of these developments two years ago when I was advising the president of a company that secures communication between the White House and the DOD. This was during the transition between "PKI is too hard to use" and the new approach which is "wrapped PKI in a registration authority software interface". Now, there are a number of identify management solutions that make the process of administering PKI-level identify management as easy as email account administration.

Returning to my first point, there two things to remember: You can never have perfect knowledge of your users' identities, so this will always remain a vulnerability even if it is reduced; and You could have near perfect identity management and still not reduce your company's largest risk. These two facts of life in today's world, suggest identity management is not, as I stated at the outset, the most economical security focus.

So, what is? I continue to believe the it is best to keep the focus on two places and keep it there until it cannot be implemented any better: One, secure the point of the transaction; and two, optimize the three-point implementation of i) maintaining a formal security plan, ii) providing formal governance over that plan, and iii) show progress against that plan. These two points of focus easily provide the greatest security (especially when cost is considered) a corporation can obtain.

Disaster Recovery Begs a Context

2005-12-13T22:16:00.000-08:00

It is a fact of corporate life in America that a company's biggest risk derives not from the direct impact of a disaster but from the litigation that follows. Emergency management provides the proper framework for planning disaster recovery and business continuity (DR/BC). This framework defines the continuity from the first instance of an emergency and continuing until the emergency has fully passed and normalcy is restored. Too often disaster recovery is combined with business continuity as though they represent a complete entity.

A company should build its DR/BC plan in a framework for distinguishing incidents (breaches in service to the customer) disasters (breaches in service that require replacement of facilities and/or equipment) and crisis (breaches that become the focus of the news media). As these different emergencies are distinguished different emergency response teams are activated.

Similarly, the emergency response plan should exist within a governance program. It requires both of these layers: governance and an emergency response plan (including DR/BC) to truly mitigate a company's liability.

When is your IT department an obstacle to security?

2005-12-11T22:16:00.000-08:00

It may seem like a funny question, but the IT department is an obstacle to security when they operate under the myth that a high thick wall keeps the bad guys out. This is a myth because 60 to 80% of all corporate crimes have an insider element: This element can be unwitting or witting.

So how do you know if your IT department believes in this myth? Simply listen when an executive asks them: Are we secure? If they answer by saying something along the lines of "Yes, we have a firewall, intrusion detection and virus protection" then indeed they do believe the myth.

An electronic crime does not occur as a simple event. It evolves. It begins with the bad guy collecting information form unsuspecting sources. He (or she) then uses that information to create traffic that looks to your firewall, intrusion systems or perhaps your virus scanners, every bit like valid traffic. Electronic crime sneaks past the barrier of the "high, thick wall."

Integrating Physical and Data Security

2005-12-09T21:58:00.000-08:00

Over 15,000 physical access control systems have been sold and installed in US corporations. These systems fully support integration of access control in both physical and logical space: Yet, less than a dozen companies have completed this integration. Despite the existence of these systems, the place to start the integration is with the people. Physical security personnel hold many of the key skills. Here is what I recommend:
1. Have physical security lead the risk based assessment of the company's computer systems. This skill is in their DNA. IT folks almost never conduct risk based assessments.
2. Have physical security write enforceable policies for change management within IT. IT seldom writes such policies for themselves...and when they do they seldom do them so they are readily enforceable.
3. Have physical security provide third party oversight when key change procedures are performed. This of data as cash: digital cash. Doing so highlights the need for third party oversight.
Integrating these three functions is the forerunner of integrating the access control systems. It follows the old IT adage: Do not automate broken processes.

eCrime or Security

2005-12-07T08:04:00.000-08:00

I use eCrime because it is a conversation starter. It leads to more questions, more dialog. When the term security is used people often rely on their image of ex-cops, fences, dogs, kiosks, etc. It stops conversation and questioning. eCrime is a conversation starter. It invites such questions as: How is electronic crime different than physical crime; Why is electronic crime on the rise and physical crime at a plateau; How physical crime (security) people interact with electronic crime people? These questions are addressed throughout this blog and in Tatum's eCrime practice.

Cyberbust!

2005-12-06T13:25:00.000-08:00

This was the allure that got me into this business:

Five thirty on a dark Saturday morning, I led an experienced team in a court-ordered break in to investigate a number of companies allegedly linked to illegal operations taking place in a single building south of Los Angeles. In this concrete-slab tilt-up building so typical of California industrial parks were slightly less than a dozen companies providing credit card and bounced check processing services. These companies were spawned from a single company that the State Court had just recently judged to be stolen, in its entirety, two years before. Two employees with minority shareholdings, it seems, hijacked the hard drive from the server leaving bogus drives as replacements, thereby taking the clients, the vendors and all future transactions. The majority owner of the original company was left with the existing cash, which was not much, the lease to the building, furniture and little else. He pursued the thieves in the courts for two years, finally receiving a judgment for $24 million and a court order to seize the business to collect evidence of the commingling of assets between the companies. The seizure was foiled because the defendants placed the stolen company into bankruptcy, thereby forcing a change in venue from state to federal court. This bankruptcy was filed, of course, after the most valuable assets were transferred from the bankrupted company to the other legal entities, leaving the owner with a bankrupt company worth far less than his $24 million judgment. This crime is one example of how difficult it is to catch up with cunning thieves who understand the subtleties of electronic forms of data and the law.

Where is the leadership?

2005-12-06T11:14:00.000-08:00

What happens if Bob does not badge in and then someone else accesses Bob's computer and data? Answer: Nothing. It is not even a security event or alert. This scenario illustrates the fact that there is no connection between physical security and data security in corporations. Here is the punch line: Over 15,000 systems have already been sold and installed in corporations in America that enable the integration of physical and data security. Why the disconnect?

I believe it is a failure of leadership. There is nothing to prevent physical security people and data security people working together except for: i) a cultural gap; and ii) the lack of leadership to bridge that gap.

When Tatum's eCrime practice is operating at its highest level, we provide that leadership. Our goal is increase the amount of time we spend operating at that level. In the meantime, we devote ourselves to the blocking and tackling of compliance and operational security.

Making Money with Financial Identities

2005-12-04T22:22:00.000-08:00

Here is an example of how fianancial identities are used in scams to make money for the bad guys:
1. Bad Guy Bob buys 2,000 financial identities for $2 apiece. So, here one person makes $4,000 for a product (the financial identities) that he gets to sell over and over again.
2. Bob then uses one of the identities to get a credit account at Circuit City where he buys 10 digital cameras for $500 each. This charge of course is against someone else, not Bob.
3. Bob has the cameras shipped to one of his re-mailers. He got the re-mailer by posting an advertisement on a telephone pole saying, "Work at home, make $20 per hour."
4. Bob opens a store on eBay advertising brand new, still under warranty cameras, still in the packaging, for sale for only $350. Bob will get a lot of orders for these cameras.
5. Bob sends ten of the orders to his re-mailer and says, " Open the box from Circuit City and send one camera for each of these orders. Bob pays the re-mailer, say, $40 for this work.

Let's do the math. Bob make $3,500 for his $2 investment when he used one of the 2,000 financial identities he had purchased earlier. If he does this same routine 1,999 more times he will gross $700,000. By the way, Bob could execute this entire scam from outside of the U.S. He could also move the operation (the re-mailers and the Circuit City store) from city to city each month.

This scam is a very difficult one to catch up with. It is very lucrative and very low risk. The point of all of this is that with such easy gain and low risk, there is a high level of motivation for bad guys to steal identities. You can bet that the pressure on financial identities will increase for many years to come.

Information Tatum - Joel Rakow, Ed.D. - December 2005

2005-12-04T22:07:00.000-08:00

Here's a first. A prominent computer security expert claims that the proceeds derived from electronic crime exceeded, for the first time this year, the proceeds derived from illegal drug trafficking: $105B. This statement could simply be a case of an expert with a self interest is making a dramatic statement to draw attention to himself. Nonetheless, it shows how rampant eCrime has become in the ten years since the Internet became a mainstream tool.

The holiday season inspired me to select my three favorite news bites as Hot Topics. One illustrates how companies are attacking their competitors web properties, using regulatory acts. The second presents new progress in blocking SPAM, and the third discusses the new strategy and sensitivities regarding protecting the corporate network the point of user workstations through the new "lockdown" technologies. I hope you enjoy this month's selection. Best wishes for the
****************************************
Joel's Activities:
1. At the Conference Board in New York, Joel Presented to approximately 120 security executives of America's top corporations including WalMart, FedEx, Bell South, Genetech, Cisco, etc.
2. Tatum's Denver office and Joel will prepare a global security plan for that area's largest beverage company. 3. As part of the World Shoe Association's relocation of corporate headquarters, Joel lead the relocation and re-staffing of the IT operations, including the implementation of a new tradeshow production system and back office system. 4. Joel chaired the first three IT Steering Committee meetings after developing and obtaining approvals on the charter and operating plan for Bidz.com's governance program.
***************************************
HOT TOPICS
WEB ATTACKS USING REGULATIONS
--Study of Take-Down Notices Under DMCA Section 512 Finds Potential for Abuse (28 November 2005) Researchers at the University of California at Berkeley and the University of Southern California looked at 876 takedown requests made to web sites and search engines under the section 512 Digital Millennium Copyright Act (DMCA). Section 512 requires that hosting and search providers take down content and links to content to be exempt from copyright lawsuits. The notice needs no judicial review of whether or not a copyright has been infringed upon. The researchers found that more than half of the requests were made by companies against competitors, and that 30 percent of the requests were the ones in which it was questionable as to whether or not copyright had been infringed upon. There were only seven cases among those studied in which the questioned content was reinstated on web sites. http://www.vnunet.com/vnunet/news/2146807/dmca-hindrance-help
http://www.securityfocus.com/brief/62
http://lawweb.usc.edu/news/dmca.html
http://mylaw.usc.edu/documents/512Rep-ExecSum_out.pdf
[Editor's Note (Pescatore):The DMCA is a pretty good example of how legislation aimed at technology usually has more wacky side effects than any actual positive effect. That said, it is pretty straightforward to file a counter-notification if someone has used DMCA improperly to cause legitimate content to be removed - the Electronic Frontier Foundation and a number of universities sponsor a site that provides information and templates on how to do so: http://www.chillingeffects.org/
(Schultz): The DMCA has been a proverbial can of worms ever since the day it went into law. Studies such as the ones at UC Berkeley and USC provide empirical evidence of some of the DMCA-related abuses that occur. The big question, however, is whether legislators will respond appropriately or whether they will continue to blindly support the industries that so strongly lobbied for this legislation.
(Hoepman): A similar study in the Netherlands found that the vast majority of ISP's, when presented with a take-down notice, prefer to err on the safe side and comply without checking the validity of the claim at all.]

SPAM BLOCKS
--FTC: Spam Blocking Technology is Getting Better
(28 November 2005)
A study conducted by the US Federal Trade Commission (FTC) indicates that Internet service providers (ISPs) are improving their spam blocking techniques. In a test, the FTC found that two unnamed web-based email service providers effectively blocked 96 percent of spam messages. However, the onus of filtering the bad messages from the good still falls to the ISPs. Spammers collect email addresses by "scraping," or using automated programs that look for the "@" sign present in all email addresses. The FTC recommends that if people need to post their email addresses on the Internet, they do so in an alternate syntax in order to avoid having their addresses added to spammers' lists. http://today.reuters.com/news/NewsArticle.aspx?type=internetNews Note (Schmidt): From a personal perspective, using ISP tools with a "near free" toolbar, I have not had a single SPAM or Phising email in any of my 7 different email inboxes in going on 10 months. Progress is being made and the tools are there if people would just use them.
(Honan): Filtering Spam at the ISP level makes good business sense for the ISPs. It reduces the network overhead on their links while at the same time making for happier customers. A win win solution, except for the spammers.]

LOCKING IT DOWN
System Lockdown an Effective Tool Against Malware
(28 November 2005)
IT managers should look not only at products to protect their systems from malware, but also at the possibility of locking down end-user computers. With system lockdown, users have limited abilities to compromise their systems. Most malware comes in the form of applications, most of which require some user interaction to gain a foothold within systems. http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp
[Editor's Note (Schmidt): There once was a time where this would create huge push back but given the wide use of broadband at home and use of mobile devices to stay connected there are many other options then using work machines. This may be more palatable as many that are successful at enterprise security have used configuration management around security to get there.]

Hot Topics is adapted from SANS Newsbites for Tatum Partners.