Be on the wave or under it
News – 05/05/03
You’re Hit! Here Come
If you think the aftermath
of a digital intrusion into your company will be limited to
restoring some files or servers from backups, applying a few
security patches, and tweaking a few security polices, you’re
very much mistaken.
More and more lawyers are
realizing the potential for widening ripples of liability due
to a security breach (see a previous
SNS for more information). At the RSA security conference in
April, lawyers proposed the following scenario to illustrate
Harry the Hacker, angry
because he's been fired, decides to put his computing skills
to work for nefarious purposes. During his cracking spree, Harry's
escapades include using the insecure system of We Care Hospital
to launch an attack against a bank, stealing the credit card
numbers of customers of an online porn company, discovering
the medical records of his former boss, which indicate he has
just tested positive for HIV, and posting those records on the
Harry then absconds
with millions and flees the country, leaving a path strewn with
victims of identity theft, privacy breaches, and of course,
staggering financial losses. Soon after, the finger pointing
The idea of downstream
liability – the risk companies face when miscreants
use their computers to launch other attacks – encompasses several
areas of the law, from those that deal with tangible losses
such as theft, to those that deal with privacy (if Harry’s boss
is European, strict EU privacy laws come into play).
People who know about security
and the law are “probably the last to get called in,” said Jeffrey
Aiken, an attorney with Whyte Hirschboeck
Dudek. “You need to get everyone involved
in this process.” Indeed, if your company develops software
for internal or customer use, you need to build in security,
rather than bolting it on after the fact.
So what can your company do? One immediate step you should take
is to establish a Security Incident Response Team (SIRT). A SIRT is a multi-disciplinary, multi-departmental
response team that represents a structured, formal capability
to respond to actual or attempted intrusions. Be sure to include
not only your information security team members, but also representatives
from Corporate Communications, Legal, Human Resources, and senior
The task of the SIRT is to
put in place policies and procedures so that when (not if –
66 percent of companies worldwide experienced a security breach
last year) you’re attacked, everyone knows what to do. This
includes developing boilerplate press releases to use in case
the attack becomes public.
Of course, just establishing a SIRT and giving it lip service
is not enough. The SIRT’s capabilities
should be linked with your Disaster Recovery (DR) and Business
Continuity Planning (BCP) capabilities, all of which should
be tested, if only with tabletop exercises, at least once a
year. Having such a capability and demonstrating that you’re
serious about it can go a long way toward protecting you from
An obvious thing you can do
to protect yourself from downstream liability is to make sure
your technical security is up to the state of the art for your
industry. Lawyers will have a field day if they can prove that
your security is weaker than your peers. Make sure you are in
compliance with appropriate regulations such as HIPAA, Gramm-Leach-Bliley,
or European Union legislation.
Finally, StratVantage can
help you assess an aspect of security that is often forgotten
but perhaps the most important element: organizational security.
Organizational security encompasses the people, policy, and
procedures aspects of your company’s information defenses. Having
the best, most state-of-the-art technical security measures
in place can be as effective as the proverbial Maginot line if your employees don’t practice good security
I spoke recently on organizational
security (full text of the slides is available here for a limited time; see the previous
SNS for more info). Improving your employee’s security practices
and awareness is the most effective – and cost-effective – way
you can prevent unauthorized access to your enterprise, and
avoid downstream liability.
At the very, very least get
your employees to stop posting their passwords on sticky notes
on their monitors!
- Shameless Self-Promotion Dept.: My article,
“Innovative Marketers Target Unwired Customers” was published
in the NetSuds newsletter.
Coming Soon: A new eBook, Be
On the Wave Or Under It™ will collect the best of SNS’
insights over the last couple of years, along with additional
material from CTOMentor white papers
and new material. It will make a great gift (Mother’s Day?)
for associates and friends in need of a guide to the latest
and greatest technology. Watch for more information in upcoming
I was quoted extensively on eLearning
in a recent issue of the Minneapolis magazine, Upsize, which
is aimed at growing businesses.
A couple issues ago I debuted SNS Begware,
an opportunity for you, gentle reader, to express your appreciation
by tipping your server via PayPal.
See the sidebar for more info. Total in the kitty so far:
$43.48. Thanks, Dave!
I’ve reworked the TrendSpot and Opinion
sections, adding a Prediction
Tracking page to track the various predictions I’ve made,
and also added a Stuff I Said page with some quotes of things I said a
decade or so ago on the Net.
I repurposed and adapted an article about the wireless service
known as Short Messaging Service (SMS) for the Reside newsletter.
It’s entitled, Wherever they go, there you are
and it points out how marketers can use – carefully – this
new way to contact their customers.
I’m featured in Manyworlds’ Thought Leader Showcase, which lists a few of the white
papers I’ve done. I’ve also added their fancy icon to the
- Another Take On
Future Tech: Alert SNS Reader Roger Hamm sent along a link to Business
2.0’s article, Six Technologies That Will Change the World.
A couple of these technologies will be familiar to readers
of SNS, but others, like using ink jet technology to build
human organs, represent intriguing fringe technologies to
- The Traveling Wi-Fi: Willmar, in rural Minnesota, is more unwired than
your local airport (unless you live in the Twin Cities, whose
Lindbergh Terminal is the king of unwired airports.)
I came to that conclusion this past week when I was in Willmar for a business meeting.
On my way out of town I decided to do a little war driving
to see if I could pick up my email. Sure enough, as soon as
I entered downtown, I picked up two wireless signals. One
was from an access point (AP) that was using Wireless Equivalent
Privacy (WEP); thus, I was unable to connect to it.
The other was using the default, out-of-the-box AP name, linksys. And it was wide open.
When I pulled over, however, I had difficulty getting attached,
so I drove around the block and parked opposite a residence.
While I was downloading email, I noticed there was a lady
on the porch giving me the hairy eyeball, so after a bit,
I moved and got an even stronger connection.
I’m grateful to my Wireless Internet Service Provider, but
I suspect they have no idea they’re leaving their system open
to any random Wi-Fi user.
- Yes, Virginia, There Is a Law Against Spam: Virginia recently became the
state with the strictest anti-spam laws in the nation (but
not the world; Denmark recently convicted a
software company under their spam laws). Like half the states,
Virginia already had an anti-spam
dating from 1999, but the state put some real teeth in the
The law gives authorities the power to seize assets earned
from sending bulk unsolicited e-mail pitches and allows penalties
of up to five years in prison. Some of the law’s provisions
kick in when a spammer sends 10,000 copies of a message in
a single day or makes at least $1,000 from one such transmission.
The effect of this law will be far reaching because America
Online and Internet backbone provider MCI are both headquartered
Of more concern are the law’s provisions that prohibit the
forging of what is known as e-mail headers, sections at the
top of an email that contain identification information on
the sender and its service provider. Spammers often forge
the headers to hide their identity and cover their tracks.
However, law-abiding folks – like myself
– often forge headers for business convenience. For example,
if you receive an email from me, the From
field will say, “Mike Ellsworth [firstname.lastname@example.org].”
But that’s not really where the email came from.
Because I have had an account at the Well for
as long as I’ve been on the Internet, and because the Well
uses Spam Assassin
to screen my email, I route all my mail through that account.
Thus, any mail you get from me really came from email@example.com,
not my StratVantage account. Similarly, I set up my email
software to set the Reply address to firstname.lastname@example.org,
which then forwards the reply to email@example.com.
This somewhat confusing arrangement allows me to use the Well’s
spam filter but still appear to be sending email from StratVantage.
Lots of people do similar tricks so that email arrives bearing
their business name rather than the name of their email provider.
It’s hard to take a business seriously when its email comes
from AOL.com. There are even services set up on the Web such
to enable this generally harmless deception.
So once again, I’ve crossed the line and become a criminal
while blissfully unaware and carrying out my usual daily activities.
(Actually, the law requires that not only do I modify my header,
but that I send 10,000 messages or make $1,000 on spam.)
The FTC, having come to the startling conclusion that most
spam involves fraudulent claims, recently convened a workshop
on spam. Our federal legislators are grumbling about the problem
and will probably pass a bill (perhaps the typically named
“Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003”, or the CAN-SPAM Act). If our elected representatives stay true
to form, the resulting legislation will be brain dead.
A dissenting voice, MCI’s Vint Cerf, father of the Internet and of commercial email,
recently he opposes anti-spam legislation like that proposed by Minnesota Senator Mark Dayton. Cerf said it’s very hard to track down spammers, and
thus he’s against laws that cannot easily be enforced.
- A Low-Tech, High-Tech Nanofilter: When I speak, one of
my favorite illustrations of the current availability of products
using nanotechnology is a company called Argonide Nanomaterials.
The company’s NanoCeram™ filter
is created by sending a high-current, high-voltage, microsecond
electrical pulse through aluminum wire in an argon-filled
reactor, cause the wire to explode. The results of this somewhat
low-tech process are electropositive nanoscale fibers capable of retaining greater than 99.9999%
of virus, bacteria and protozoa at flow rates hundreds of
times greater than virus-rated ultra porous filters.
I just love this example because it shows you can get nanotechnology
benefits with fairly simple procedures.
Return to Mike’s
Copyright © 2000-2008, StratVantage Consulting, LLC. All rights
Please send all comments to
Looking to light up your office, your business, or your city?
The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers.
The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.
Alert SNS Reader Hall of Fame
About The Author
a New Service from StratVantage
Can’t Get Enough of ME?
In the unlikely event
that you want more of my opinions, I’ve started a Weblog. It’s the fashionable
thing for pundits to do, and I’m doing it too. A Weblog is a datestamped
collection of somewhat random thoughts and ideas assembled on a Web
page. If you’d like to subject the world to your thoughts, as I do,
you can create your own Weblog. You need to have a Web site that allows
you FTP access, and the free software from www.blogger.com.
This allows you to right click on a Web page and append your pithy thoughts
to your Weblog.
I’ve dubbed my Weblog
entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
14, 1928 - July 5, 2003
Jane C. Ellsworth
20, 1928 - July 20, 2003