Thursday, February 19, 2009

Don't give them a reason to fire you

Someone I know is currently being "done" for potential data theft. I should note the potentially biased and subjective view on my part given I know this person but I'll try to maintain some level of objectivity.

This person is currently suspended and under investigation following an incident. What did this person do wrong? Their mistake was simply to be ignorant rather than intentionally do anything malicious.

Those of us in information security know better than to copy and print a bunch of stuff (unless there's a solid business justification to do it) because any organisation with an adequate security team will start wondering what the heck you're doing. Unfortunately, most people are not in the information security profession so it's not as "common sense" as we may all think it is.

This person decided to talk to me because I'm the "security guy". They asked me what they should do. My answer was to just tell the truth because they weren't actually trying to do anything malicious. This person didn't even know how to write files to a DVD a few months ago let alone know what computing-related activities could be deemed as inappropriate.

Consider these points:
  1. Most people in the world are not security geeks. Heck, most aren't even technology literate to the standard most of us assume is in place.
  2. If employees are simply told what they should not be doing and that they can potentially be monitored, they will be more wary about being perceived as doing the wrong thing. In other words, they will be more vigilant about their behaviour because they've been educated. It also means that companies will have more resources available to catch the people actually trying to do the wrong thing.

I won't divulge too much about the incident for obvious reasons (so any specifics regarding the actual incident stops right now) but I do have an opinion on what the root cause of this incident was:

Lack of security awareness training on the part of the organisation in question.

This organisation that this person works for is a large multi-national. I won't mention what industry but it's one where there's copious amounts of sensitive data lying around. So it doesn't surprise me that they have some level of monitoring in place. It is the responsibility of each and every organisation to make sure employees are properly trained in a basic level of information security awareness. It's not good enough that it says what they should not be doing somewhere in the fine print of their employment contract because no one ever reads those things.

In other words, when an employee is being pulled up for a potential security incident, it is the organisation's fault if they did not ensure that all employees were made aware of adequate behaviour when dealing with company data and information. For those wondering, no this person's soon to be ex-employer does not do information security awareness training. I'm guessing it's because employees cannot make the company money while they are being trained in non-core business related activities.

There's actually an additional dimension to this whole episode. Like many organisations in the world today, they are undergoing a round of redundancies. This person was probably already on that list (this is what they tell me), but now it's even worse. They are suspended pending the investigation. And there's no doubt that if this person is cleared, it's "bye bye" anyway.

The problem is that as with any redundancy, there is a severance package to make things slightly easier. But guess what someone dismissed for misconduct gets? That's right, absolutely nothing. So now the situation is worse. Not only is this person being made redundant, they will probably not get their redundancy package because of this so called "misconduct". Way to go big corporation. Turn up the investigations and justify not paying people by saying they attempted to steal a bunch of sensitive information.

When people are scared about being put on the chopping block, what's their first instinct? That's right, they go through their systems and back up all their personal things. We can argue that there should not be any personal things on company assets, but it gets very difficult especially if you have worked for a company for some time.

Ones with more sense don't touch any company material. But there are those who aren't actually trying to steal anything but simply think certain documents are useful to have in their "kit-bag". You know what I'm talking about: "cheat sheets", document templates and the like. This is all too common an occurence and is actually part of the reason there's a so-called "data leakage" industry. It's commonly termed "inadvertant leakage of information". The assumption that it's not harmful to copy certain things if there is no malicious intent is an incorrect assumption on the employee's part, but they don't know any better. Once again, education and awareness.

The more common problem lies with the information where there's a fuzzy line between whether something is work-related or not. Generic education materials are a good example. The company could argue that it's their property even if they did not create it, but individuals typically want all the education they can get their hands on. After all, they're going to potentially need it to find their next job. If you're not sure, just don't take it.

While companies are busy investigating innocent (but rather ignorant) individuals for potential data theft, people with more malicious intents could possibly get off unscathed because there may not be adequate resources to investigate them or even notice they've done anything. In fact, if someone has malicious intent, they probably did some level of planning to make themselves more difficult to catch. So companies don't have any chance of discovering anything's happened if they don't have adequate resources available. And if they are off investigating anyone who printed anything or copied some files to a USB drive, they are going to run out of resources rather quickly.

Doesn't really matter though Mr. CEO, does it? Think of all the money you're saving by not having to pay out these pesky redundancy packages!

As for this person, the investigation is pending. They have told the truth, handed everything over and now just has to wait. Don't make the same mistake because of ignorance.

Wednesday, February 11, 2009

Open letter to IBM - your communities sites are causing spam

Dear IBM Community Managers & Social Media Czars,

I've noticed that you have finally realised it's 2009 and not 1989. As such, you seem to have taken little baby steps moving beyond traditional methods for marketing and community building. Apart from a sporadic sprinkling of twitter accounts (mine is here if you want to follow me to deal with my complaints there instead of waiting for open letters), you now seem to have what looks to be the beginnings of centralised communities sites (whoa what an "innovative" concept).

It looks to me like these sites are trying to aggregate useful things for each community (e.g. blogs, tags, forum discussions) and while not exactly "cutting edge" is a start considering how you have done nothing about evolving your old marketing and communication strategies since Lou Gerstner joined the company. He obviously couldn't do much about it because he was too busy trying to save IBM from going down the crap hole, so you could be forgiven for taking some time to catch up but seriously, it's frigging 2009 IBM.

I have a specific issue regarding your communities sites. Maybe I'm stupid so bear with me but I signed up to be a member of your IBM Security Community thinking I should take a look at whether my ex-employer has finally realised what year it is. The first thing it insisted on was that I used my IBM ID (which still thinks "Identity Federation" might have something to do with Star Trek). This is fine, except that the IBM ID now insists that users have to use their email address as their login. This is fine in principle, but it looks to be the root cause of the problem which I will expand on later. All things considered, this part of the process was fairly easy. So I started to take a look around and realised that it was pretty bare-bones. Again this is fine because I realise this whole "Internets tubes thingy with sites and people at the end of them tubes" is fairly new to you.

Just a matter of days later, I started to get messages sent to my personal email offering to shower me in riches on receipt of my bank details and interesting products offering to "enhance my manhood". I NEVER used to receive unsolicited messages to the email address in question due to the fact I take precautions not to give it out unnecessarily or to post it online (yes on the "Internets tubes thingy"). So I did some digging online (it's called searching, IBM - you may have heard of this small company called Google?) and found my email address! And where did I find it?! On your IBM Security Community site that's where! I should note that I could see this without being logged in. Yes, this means it's PUBLIC.

I immediately logged in and tried to find the offending page. Upon finding it, I immediately went about trying to change my settings to remove it from public view. About 15 minutes later, I finally realised I had to navigate to a listing of everyone's profiles to get to my own profile (nice to see you still haven't hired usability designers). I then clicked on my profile details and there it was, my email address staring at me.

While the incongruity of it all was unnerving, I pressed on. I thought: "OK, I've found it, now I'll just go change the settings". So, I clicked on "Edit My Profile" and spent about 10 minutes clicking on the same links over and over and over and over and over again in the hope that my email address would magically appear (that's what I used to do when I had to demo your software). I persevered thinking that it must have been my own fault or stupidity. And then I had a "eureka moment" as I glanced at the bottom of the screen. It read; "IBM Lotus Connections". And then it hit me: "Ohhhhhh it's Lotus software. I'm going to need to go screw around with some Lotus Notes database somewhere which I don't have access to". By the way, is this new-fangled Lotus software incarnation just crappy old Lotus Notes with web bits hidden behind WebSphere Portal Server (if you mention the word "cloud" anywhere in your answer I'm going to throw up)?

IBM, does this mean that you are simply pulling my email address from my IBM ID and not giving me a way of changing this? Why does this matter you ask? Well, perhaps if it was listed I could potentially delete the field in the absence of adequate privacy controls in your software. That's why! But the fact it's linked makes me think that I'd have to de-provision my IBM ID, or at the very least de-provision my IBM Security Community membership (is that some Lotus Notes group?). Oh I'm sorry I just realised that I'm talking to Lotus and you don't talk to Tivoli so all this talk of provisioning must be confusing the heck out of you. Don't despair, read on and you might start to get it.

Thinking that surely this could not be the case for everyone unfortunate enough to have signed up to the IBM Security Community, I looked around. Surely enough, I found a link that listed ALL the members of the community. And against each member guessed it: their email address. Don't tell me it's all fine because to get the email address you have to hover over the person's name before the menu comes up to click through to their details. A bit of JavaScript cobbled together with "security by obscurity" does not pass the test. At this point, I was thinking that this was pretty piss-poor (Aussie slang but I think you get the point) given this was supposed to be the frigging "SECURITY COMMUNITY".

Hoping that this was isolated to this community, I decided to take a look at the other non-security communities. I hoped that someone would have some sense to configure the other communities differently. To my despair, the other communities were exactly the same which made me think this was the default behaviour of the software. So IBM, this is what you've done; anyone who is a member of one of your new communities sites has now had their email address exposed to the world whether they like it or not. Even worse, there is no way to turn this off short of leaving the community. But it doesn't really matter now because you may not have figured this out yet IBM, but once something is on the web it's pretty much there forever. So I could leave your community, but the damage is already done so there's not much point.

I'm not actually sure your community moderators can do much about this issue so I choose not to blame them. It is disappointing that it looks like this is the default behaviour of your "Lotus Connections" software.

Having tried unsuccessfully to change my profile settings, targeted twittering to ask this question (without replies) and a lack of an obvious mechanism for feedback on the communities site, I've decided to write this open letter hoping that someone at IBM who can do something about it reads this. If this has reached somebody in Lotus-land, you are probably confused by all this talk of security and privacy. In the event you have not spoken to someone in Tivoli-land to help you decipher my ramblings, I'll summarise everything for you:
Why do all the IBM communities sites display all member email addresses by default? This would not be so bad if there was a way to update profile settings to hide email addresses. But either through a software limitation or my own stupidity, there does not seem to be a way to do it. Why does IBM see fit to display people's email addresses by default and not allow for a way to "opt-out"?

By the way IBM, if I were to "accidentally" click on one of these offers I'm getting in my email, can I use my old IBM expense account to claim the costs? If so, I could potentially overlook your blatant disregard for my privacy.

Yours sincerely,
Ian Yip
Disgruntled ex-IBMer

Tuesday, February 10, 2009

CA continues their GRC march

I've observed in the past the CA looks to be getting serious about this whole Governance, Risk and Compliance (GRC) caper. Today, they released version 2.0 of their GRC Manager. I first found out about the impending release some time last week when CA got in touch offering a briefing, which I accepted (Aside: I usually accept these requests unless there's a conflict of interest on my part).

I spoke with Marc Camm (SVP & GM, Governance, Risk and Compliance Products), Tom McHale (VP of Product Management for CA GRC Manager) and Sumner Blount (Senior Principal Product Marketing Manager for Governance, Risk & Compliance) regarding the release. Apart from the press release, CA's also made a blog post and a video. There's even a few screen shots. All I can say is that they've gone all out to get some discussion around the release.

I won't rehash any of the stuff CA's already put out there because I really hate when others do it. What I will say is that version 2.0 is centred around what CA calls Risk IQ, which is another way of saying they want to help turn raw data into useful information that organisations can use to make better decisions around risk. This however, has always been the "holy grail" of any product with "risk" or "monitoring" as part of its features. Whether CA's Risk IQ delivers on promise remains to be seen. 2.0's features are essentially all the useful "risk bits" they didn't put into version 1.0. It's available via the standard off-the-shelf model we're all so used to, a managed services offering or the SaaS version (CA GRC On Demand).

Some other things I did pick up during the conversation:
  • CA did not deny that there would still be a sizable amount of "heavy lifting" done by organisations and implementation partners (such as PwC). GRC Manager is simply a tool to facilitate risk and compliance requirements.
  • GRC Manager leverages the IT Unified Compliance Framework as a way of attempting to implementing a core set of policies that allows for easy expansion for use with regulatory requirements (e.g. Sarbanes-Oxley, HIPAA). Note: a lot of the large vendors take a similar approach - for example, IBM Tivoli likes COBIT.
  • CA runs their GRC and Security divisions as separate business units. In other words, they will ensure they integrate nicely with the Security products but are just as happy to integrate with other Identity and Access Management suites (this is "toe the company line" speak for "we don't really care if our potential customers don't use CA's security products"). I asked them how they saw the recent acquisitions of IDFocus, Eurekify and Orchestria and they said it was great to have as additional tools for integration within the CA family, but don't have any plans for wrapping GRC Manager around them as they belong to the Security division.
  • One thing I wanted to clarify for my own understanding was whether they saw GRC Manager more as an identity-focused, operations-centric GRC tool or an enterprise GRC tool. The answer was that GRC Manager is an enterprise GRC tool, a "manager of managers" if you like. In other words, GRC Manager competes more with OpenPages than it does with SailPoint.
Relatively speaking, CA are just their GRC software journey, but I think they've got a head-start on many of the other large vendors they are usually pigeon-holed with (except for Oracle, who have a genuine claim to at least be on par, if not ahead). I'm not sure if they're quite there in terms of functionality when compared with some of the established smaller players (e.g. OpenPages) but they certainly have the ambition and company focus to get there. Once again, it'll be about execution (and perhaps the odd acquisition here and there).