Adam On…

So last week I commented on Alan Shimel’s post about the “security sales conundrum“. Alan responded in a comment asking me what my thoughts were on fixing this problem. I’ve been thinking about this problem. After all, what is the best way to pitch new and existing customers or at least make them aware of new products that might meet their needs?

While I’ve been thinking this over, I received an interesting sales pitch last night. I received a package at home (even though the package was addressed to my office). Inside was a t-shirt and coffee cup from Lancope. Accompanying the swag was a letter inviting me to participate in a free webinar detailing how Lancope was able to help a university gain better visibility into their network. The package also included some marketing material that was targeted at universities.

While it was odd to receive a 3 pound package I was not expecting (I kept wondering if I had made any enemies lately that might wish me harm), I am happy to see this type of marketing my Lancope. No, I’m not talking about the t-shirt and cup. I’m talking about knowing the industry in which I work. While I may not be interested in the product, I guarantee I will at least look over the material if you show me you understand the issues that I am dealing with.

A few other thoughts on sales pitches:

• Please don’t pitch me a product my organization already purchases from your company (this happens more then you would think)
• Engage me on the phone, ask about any current projects where your product might help. If there are not any, don’t keep pitching me.
• I don’t mind phone calls, but I would prefer e-mail. I don’t mind reading over sales material, but I want to do it on my time.
• Understand the limitations that I am under. Public institutions have purchasing regulations. Be aware before you contact me.
• I’ll talk to you but I’d prefer to talk to another educational institution. Personally, I’m a sucker for case studies.

That’s about it for today I think… now back to my regularly scheduled morning coffee.

Alan Shimel over at (big, big breath here) Still Secure, After All These Years (and exhale) has a post about a particular annoyance of mine, overeager, overzealous security sales individuals. While I’ve only been with my current company for a year, it didn’t take the sales calls to start rolling in. And roll in they have.

It is getting to the point where, like many security pros out there, I allow telephone calls from odd area codes/external numbers to go to voice mail. Alas, this doesn’t always save me. There are some vendors that call the main office and ask to be transferred. There are some vendors that call the main switchboard and ask to be put through.

There is even one vendor (I’m assuming since I never answer) that calls at least twice a day. Now the calls, while a bit excessive, can be understood. However, what is inexcusable is that the caller doesn’t hang up during my voice mail greeting. Instead the caller leaves 1-2 second blank voice mails causing my VM light to turn on and the message waiting sound to start chiming away happily… Oh to get a few moments alone with this thoughtful and persistent caller.

However, none of this compairs to the extreme annoyance of companies not returning phone calls or e-mail messages inquiring after products. We’ve all dealt with it. A company you were not interested in won’t leave you alone yet a bit later that same company ignores your inquiries when you are interested. It leads one to believe that there is something horribly wrong with the world when companies you will not give money never leave you alone, while companies you want to give money don’t seem to care.

Or perhaps it is something a bit worse. Perhaps these sales individuals are told to pitch X number of individuals per day/hour/month/week/etc. Perhaps the individuals you want to give money are too busy pitching others. Not because there is a better chance for a sale with these other potential customers, but because the company has outdated or, at the very least, broken sales procedures. Perhaps I have no idea what I am talking about.

One thing that I do know is that it is heartening to see companies like StillSecure reaching out to their customers and see how the company can attempt to address the problem many of us have with sales calls.

Anyone that has attended a security training at my organization knows that I hate passwords. Why you might ask? It is simple. Passwords are a pain! Just us take a look at my daily password entry:

• Password #1: Log into my personal laptop in the morning
• Password #2: Log into personal e-mail account
• Password #3: Log into ESI web site, check logs/stats and update if needed
• Password #4: Log into AdamOn, check logs/stats and update if needed
• Password #5: Log into FeedBurner and check stats
• Password #6: Log into work computer
• Password #7: Log into work e-mail
• Password #8: Open encrypted disk at work

Yup, thats right, I type in 8 different passwords before 8am in the morning! Is it any wonder I hate passwords? Oh, each of these passwords is different then the others. This is a typical morning for me and does not require that I sign into other services such as IM or Twitter or any of my servers. (Doing so can add up to 5 more unique passwords to my daily log on procedures.)

Each day I face a growing contempt for these passwords. They are in my way, preventing me from doing my job in the most efficient manner possible. It is no wonder that people write down passwords, use similar/the same passwords over and over again and use applications to store passwords. Passwords just suck!

It might sound strange to some people that a security professional doesn’t like passwords, but I am not alone. Dr. M.E. Kabay, CTO of the School of Graduate Studies at Norwich University and Program Director for the university’s Masters of Science in Information Assurance, has an excellent set of articles over at Network World about passwords.

The bottom line is that we need a better solution.

It seems that Hannaford supermarket has pulled all of its advertising off at lease one television station claiming the reporting on the recent security breach has been too “aggressive”. Attempts by the television station to get more information from Hannaford have gone unanswered according to the article. (Please note that I have not seen any of the reporting so I am going off the cuff here.)

This seems to be an odd move. Now Hannaford has every right to choose where it advertises its stores, but it seems a bit odd that they would pull advertising simply because they were unhappy with news coverage. Apparently there are no factual errors in the television station’s reports of the incident. It simply seems that Hannaford is hurt by the “aggressive” reporting

Why is this odd you ask? This move by Hannaford smacks of an attempt to control the news stories report about the company. While this may not be the reason the advertisements were pulled, it certainly looks like that.

Is this really a possible perception the company wants the public to have following the recent breach?

There is an interesting article over at the Hollister Free Lance site about a potential security incident that may have occurred at Gavilan College. It seems that Tim Holliday, a former Student Trustee and Student Body Senator, is making noise about a Student Body laptop he claims contained personal information such as names, Social Security numbers and photos on 3,100 students, faculty and staff that went missing last year. Apparently, after reporting the missing laptop, Holliday is displeased with the lack of action by the college for more then a year and he is urging the college to notify affected students about the potential risk.

However, the college is taking a different view on the incident. According to the article, the college investigated the report and discovered that Kayed Asfour, a Gavilan student, was the last person to see the laptop. Apparently Asford assured the college that he deleted all of the Social Security numbers from the laptop before it went missing.

Satisfied with this the college choose not to report the incident. According to Gavilan President Steven Kinsella the college took the necessary precautions and that the college cannot verify that the laptop contained personal information. In addition, Kinsella points out that the Associated Student Body is independent organization. As Kinsella states in the article, it is not an issue to the college.

Um… what? I do not understand how the possible exposure of 3,100 records containing personal information not be an issue any college or university. If what Holliday claims is true, there are some serious questions that beg to be answered about this incident. Unfortunately, there is little more information online about this story beyond the article over at the Hollister Free Lance site.

I found this to be a very interesting story for a number of reasons. It strikes at the heart of what many organizations deal with when discussing what actions to take in the event of a suspected incident. There are contradicting stories, unclear information exposure and questions about authority and responsibility for notification. I hope that more of this story becomes known since I have so many unanswered questions about this incident

While there is not enough information available to draw any conclusions about this incident, here are some personal ideas about breach reporting.

1. I do not believe that notifying individuals only when personal information loss can be verified is best approach. When there is the possibility that personal information has been lost or exposed the should always strive to notify unless the organization can prove the information was not lost/exposed.

2. The assurances of one individual does not count as adequate proof to stop notifications, especially when these assurances are contradicted by another individual within the organization. ‘Tis better to err on the side of caution in my opinion.

3. Information lost by an independent entity does not absolve an organization of the responsibility to notify affected individuals, especially if the information was given to the independent entity by the organization for official use. After all, when Iron Mountain lost backup tapes belonging to the Louisiana Office of Student Financial Assistance, LOSFA immediately contacted the affected individuals to make them aware of the incident. The same held true when independent third-parties lost information given to them by Waseda University, the University of Akron, Kansas State University, and Berry College.

For the record, please allow to me to introduce this concept to those that are not familiar with it: Breach notification letters are completely different from press releases about an incident. Therefore, each needs to be crafted differently.

Breach notifications are intended to alert an individual that their personal information is now in the hands of an unauthorized individual. These notifications tend to follow a similar format: Greet the individual. Introduce the problem. Explain the issues/data lost. Apologize for the event. Offer/Don’t offer credit monitoring for one year. Include phone numbers/web sites/e-mail address with more information. Apologize again. Wash. Rise. Repeat.

Press releases are a different beast and are a way for an organization to give input to the news reports about the incident. Breach press releases generally tend to go into greater detail then a notification. Explaining what happened, with or without quotes from the organization. Information on completed or ongoing investigations are included. The obligatory high level apology is included as well as a promise that “changes are being taken to prevent such an event in the future”.

However, some organizations intermix these two formulas with mixed results. Adding breach notification information, such where to get more information, with press releases? It can work. Adding press release information to breach notifications? This is where I have a problem.

Why? Generally, most organizations want to include the “we are making changes to prevent breaches in the future” tag line to breach notifications. For example, it seems that Duke university’s physics department took this approach in letter to students over a recent incident. (Note: Duke is not alone in this and is only included as a recent example.) My question to anyone that agrees with this approach is this: What exactly is the point?

How does it help me to learn that the organization taking steps to protect against future breaches? My data has already been lost. It is out there regardless of whether or not a future breach occurs. Not to be self-centered but upon first learning that my personal information has been lost, the furthest thing from my mind is the protection of other individuals in the future. So please, please, please stop including this information in the breach notification, I just don’t care. Oh, and as I’ve talked about in the past, don’t tell me there is no evidence of misuse three days after the breach.

I agree that it is a good step for organizations to talk about the changes being made to prevent future breaches. After all, its shows that the breach is a learning opportunity for the organization. Just keep it out of the breach notification, OK?

The state of Illinois has teamed up with the Meth Project to produce a number of unbelievably shocking Public Service Announcements to help combat what appears to be a serious Meth problem in the state.

Coming from an era of the “I learned it by watching you!” anti-drug PSA’s, I have to say these new style anti-drug advertisements are incredibly raw. The Meth Project television ads include a young girl in a shower with blood coming out of her future “Meth” self and a young boy in a laundromat watching scared as his future “Meth” self robs the other customers. Intrigued, I decided to visit the Illinois Meth Project web site to check out all the goings on.

The web site itself is exactly what I would have expected from an anti-drug site. I found these two print ads to be even more powerful then the television ads, of course it could just be that I am more familiar with the television ads so the impact is a bit reduced. Then I ran across a something that was so obviously a lie it made me question why it was included in the site.

Under the Meth Info section is are “Real Stories”, supposed true life encounters from either people involved with meth or people with family/friends involved with meth. Why supposed? Everything was going fine until I got to the story titled “I wish I never went to that party with my friend” by a 13 year old Female. Here are just a few of the more outrageous parts of this “real” story:

• 13 year old and her friend were invited to a “high school party” at the age of 11 and the parents allowed this to happen
• Friend brother flew into a rage on the first sampling of meth and attacked his sister
• Friend killed her parents for meth after becoming an addict at the age of 12 or 13
• Friend is moments away from death each and every day
• Apparently Friend was not in jail for killing her and 13 year olds parents were able to take her to rehab despite having no legal authority to do so
• Friend was sexually abused by her brother (who last we knew was in jail) and ran back into the arms of meth
• At age 13, Friend had her first meth baby which she sold for meth, apparently the baby died instantly
• At age 14, Friend is now pregnant with her second meth baby
• 13 year old found out watching the news that Friend committed suicide to impress her meth dealer
• Friends second meth baby was saved and is now in foster care (something that apparently was not offered to parent killing, sexually abused, twice pregnant, meth addicted 14 year old Friend)

Yeah, I’m just gonna stop right there. While I haven’t done the appropriate research into this, I’m going to call BS on this “real” story. The inclusion of what is obviously at the very least an extreme exaggeration is confusing. The whole point of this site is to show just how addictive and dangerous meth can be. Why include a lie?