The News – 05/05/03

In this Issue:	Recommended Reading
You’re Hit! Here Come the Lawsuits! Shameless Self-Promotion Dept. Another Take On Future Tech The Traveling Wi-Fi Yes, Virginia, There Is a Law Against Spam A Low-Tech, High-Tech Nanofilter	I realize this is the only newsletter you’ll ever need, but if you want more in-depth detail, check out: Stan Hustad’s The Coaching Connection Management Signature's The Express Read

You’re Hit! Here Come the Lawsuits!

If you think the aftermath of a digital intrusion into your company will be limited to restoring some files or servers from backups, applying a few security patches, and tweaking a few security polices, you’re very much mistaken.

More and more lawyers are realizing the potential for widening ripples of liability due to a security breach (see a previous SNS for more information). At the RSA security conference in April, lawyers proposed the following scenario to illustrate the risk:

Harry the Hacker, angry because he's been fired, decides to put his computing skills to work for nefarious purposes. During his cracking spree, Harry's escapades include using the insecure system of We Care Hospital to launch an attack against a bank, stealing the credit card numbers of customers of an online porn company, discovering the medical records of his former boss, which indicate he has just tested positive for HIV, and posting those records on the Web.

Harry then absconds with millions and flees the country, leaving a path strewn with victims of identity theft, privacy breaches, and of course, staggering financial losses. Soon after, the finger pointing ensues.

The idea of downstream liability – the risk companies face when miscreants use their computers to launch other attacks – encompasses several areas of the law, from those that deal with tangible losses such as theft, to those that deal with privacy (if Harry’s boss is European, strict EU privacy laws come into play).

People who know about security and the law are “probably the last to get called in,” said Jeffrey Aiken, an attorney with Whyte Hirschboeck Dudek. “You need to get everyone involved in this process.” Indeed, if your company develops software for internal or customer use, you need to build in security, rather than bolting it on after the fact.

So what can your company do? One immediate step you should take is to establish a Security Incident Response Team (SIRT). A SIRT is a multi-disciplinary, multi-departmental response team that represents a structured, formal capability to respond to actual or attempted intrusions. Be sure to include not only your information security team members, but also representatives from Corporate Communications, Legal, Human Resources, and senior management.

The task of the SIRT is to put in place policies and procedures so that when (not if – 66 percent of companies worldwide experienced a security breach last year) you’re attacked, everyone knows what to do. This includes developing boilerplate press releases to use in case the attack becomes public.

Of course, just establishing a SIRT and giving it lip service is not enough. The SIRT’s capabilities should be linked with your Disaster Recovery (DR) and Business Continuity Planning (BCP) capabilities, all of which should be tested, if only with tabletop exercises, at least once a year. Having such a capability and demonstrating that you’re serious about it can go a long way toward protecting you from downstream liability.

An obvious thing you can do to protect yourself from downstream liability is to make sure your technical security is up to the state of the art for your industry. Lawyers will have a field day if they can prove that your security is weaker than your peers. Make sure you are in compliance with appropriate regulations such as HIPAA, Gramm-Leach-Bliley, or European Union legislation.

Finally, StratVantage can help you assess an aspect of security that is often forgotten but perhaps the most important element: organizational security. Organizational security encompasses the people, policy, and procedures aspects of your company’s information defenses. Having the best, most state-of-the-art technical security measures in place can be as effective as the proverbial Maginot line if your employees don’t practice good security hygiene.

I spoke recently on organizational security (full text of the slides is available here for a limited time; see the previous SNS for more info). Improving your employee’s security practices and awareness is the most effective – and cost-effective – way you can prevent unauthorized access to your enterprise, and avoid downstream liability.

At the very, very least get your employees to stop posting their passwords on sticky notes on their monitors!

C|Net

Briefly Noted

• Shameless Self-Promotion Dept.: My article, “Innovative Marketers Target Unwired Customers” was published in the NetSuds newsletter.
  
  Coming Soon: A new eBook, Be On the Wave Or Under It™ will collect the best of SNS’ insights over the last couple of years, along with additional material from CTOMentor white papers and new material. It will make a great gift (Mother’s Day?) for associates and friends in need of a guide to the latest and greatest technology. Watch for more information in upcoming SNS issues.
  
  I was quoted extensively on eLearning in a recent issue of the Minneapolis magazine, Upsize, which is aimed at growing businesses.
  
  A couple issues ago I debuted SNS Begware, an opportunity for you, gentle reader, to express your appreciation by tipping your server via PayPal. See the sidebar for more info. Total in the kitty so far: $43.48. Thanks, Dave!
  
  I’ve reworked the TrendSpot and Opinion sections, adding a Prediction Tracking page to track the various predictions I’ve made, and also added a Stuff I Said page with some quotes of things I said a decade or so ago on the Net.
  
  I repurposed and adapted an article about the wireless service known as Short Messaging Service (SMS) for the Reside newsletter. It’s entitled, Wherever they go, there you are and it points out how marketers can use – carefully – this new way to contact their customers.
  
  I’m featured in Manyworlds’ Thought Leader Showcase, which lists a few of the white papers I’ve done. I’ve also added their fancy icon to the StratVantage site.
  
  
• Another Take On Future Tech: Alert SNS Reader Roger Hamm sent along a link to Business 2.0’s article, Six Technologies That Will Change the World. A couple of these technologies will be familiar to readers of SNS, but others, like using ink jet technology to build human organs, represent intriguing fringe technologies to watch.
  Business 2.0
  
  
• The Traveling Wi-Fi: Willmar, in rural Minnesota, is more unwired than your local airport (unless you live in the Twin Cities, whose Lindbergh Terminal is the king of unwired airports.) I came to that conclusion this past week when I was in Willmar for a business meeting. On my way out of town I decided to do a little war driving to see if I could pick up my email. Sure enough, as soon as I entered downtown, I picked up two wireless signals. One was from an access point (AP) that was using Wireless Equivalent Privacy (WEP); thus, I was unable to connect to it.
  
  The other was using the default, out-of-the-box AP name, linksys. And it was wide open. When I pulled over, however, I had difficulty getting attached, so I drove around the block and parked opposite a residence. While I was downloading email, I noticed there was a lady on the porch giving me the hairy eyeball, so after a bit, I moved and got an even stronger connection.
  
  I’m grateful to my Wireless Internet Service Provider, but I suspect they have no idea they’re leaving their system open to any random Wi-Fi user.
  
  
• Yes, Virginia, There Is a Law Against Spam: Virginia recently became the state with the strictest anti-spam laws in the nation (but not the world; Denmark recently convicted a Danish software company under their spam laws). Like half the states, Virginia already had an anti-spam law, dating from 1999, but the state put some real teeth in the new measure.
  
  The law gives authorities the power to seize assets earned from sending bulk unsolicited e-mail pitches and allows penalties of up to five years in prison. Some of the law’s provisions kick in when a spammer sends 10,000 copies of a message in a single day or makes at least $1,000 from one such transmission. The effect of this law will be far reaching because America Online and Internet backbone provider MCI are both headquartered in Virginia.
  
  Of more concern are the law’s provisions that prohibit the forging of what is known as e-mail headers, sections at the top of an email that contain identification information on the sender and its service provider. Spammers often forge the headers to hide their identity and cover their tracks.
  
  However, law-abiding folks – like myself – often forge headers for business convenience. For example, if you receive an email from me, the From field will say, “Mike Ellsworth [mellsworth@stratvantage.com].” But that’s not really where the email came from.
  
  Because I have had an account at the Well for as long as I’ve been on the Internet, and because the Well uses Spam Assassin to screen my email, I route all my mail through that account. Thus, any mail you get from me really came from mellswor@well.com, not my StratVantage account. Similarly, I set up my email software to set the Reply address to mellsworth@stratvantage.com, which then forwards the reply to mellswor@well.com.
  
  This somewhat confusing arrangement allows me to use the Well’s spam filter but still appear to be sending email from StratVantage. Lots of people do similar tricks so that email arrives bearing their business name rather than the name of their email provider. It’s hard to take a business seriously when its email comes from AOL.com. There are even services set up on the Web such as Redirection.net to enable this generally harmless deception.
  
  So once again, I’ve crossed the line and become a criminal while blissfully unaware and carrying out my usual daily activities. (Actually, the law requires that not only do I modify my header, but that I send 10,000 messages or make $1,000 on spam.)
  
  The FTC, having come to the startling conclusion that most spam involves fraudulent claims, recently convened a workshop on spam. Our federal legislators are grumbling about the problem and will probably pass a bill (perhaps the typically named “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003”, or the CAN-SPAM Act). If our elected representatives stay true to form, the resulting legislation will be brain dead.
  
  A dissenting voice, MCI’s Vint Cerf, father of the Internet and of commercial email, said recently he opposes anti-spam legislation like that proposed by Minnesota Senator Mark Dayton. Cerf said it’s very hard to track down spammers, and thus he’s against laws that cannot easily be enforced.
  MSNBC
  
  
• A Low-Tech, High-Tech Nanofilter: When I speak, one of my favorite illustrations of the current availability of products using nanotechnology is a company called Argonide Nanomaterials. The company’s NanoCeram™ filter is created by sending a high-current, high-voltage, microsecond electrical pulse through aluminum wire in an argon-filled reactor, cause the wire to explode. The results of this somewhat low-tech process are electropositive nanoscale fibers capable of retaining greater than 99.9999% of virus, bacteria and protozoa at flow rates hundreds of times greater than virus-rated ultra porous filters.
  
  I just love this example because it shows you can get nanotechnology benefits with fairly simple procedures.
  Ceramic Bulletin