Can We Talk?

Posted: June 23, 2014 in IT Security

Note: I published this piece several years ago. I’d certainly like to understand if anything has changed for the better in this regard.

An effective Information Sharing mechanism boils down to trust.

Like most, I have had the pleasure to meet people working the security industry across this country through number venues. Like many affiliations these days, while we only get to see each other at a conference or marketing even once in a while, we are typically connected virtually through discussion boards and close knit forums, which give us the opportunity to continue broad and specific discussions at our leisure.

Over time you get a good sense about the people you deal with on a day to day basis. Familiarity flourishes, giving you the latitude to establish trust in the people you are engaging. Trust is the foundation of any successful Information Sharing paradigm. Any effort to initiate a program for sharing information in and around Information security is doomed to failure unless it is initiated by and with people who have already established professional or personal relationships and trust each other.

There are two core facets to trust; first you have to be willing to receive and accept information and secondly you have to be prepared to share true and accurate information. This shouldn’t be too difficult in an industry that is inundated with codes of ethics, security clearances and the like. Do anything to set the precedent that you are untrustworthy and the matrix will become unraveled.

Why has it been so difficult, then, for the Government of Canada to initiate an information sharing program around Critical Infrastructure? Lack of trust.

Participants inside and outside the Government don’t trust each other. Internally, basic human instincts are dictating how people decide to engage each other interdepartmentally. A number of Government stakeholders are competing with each other with regard to the mandate. Careerism also takes its toll on the evolution. External participants will not share information due to the fact that the Department with the mandate has introduced clauses in their legislation that will not protect the proprietary information of the participants from disclosure. What kind of trust model is that? Is it unreasonable to be reticent if the security of the proprietary information of your company is subject to a simple Access to Information Request?

There are some models for this kind of collaboration that have been successful for a long time. I refer to the ITAC Cyber Security Forum, an industry-government policy roundtable that has been meeting at least quarterly since 2000. A great deal has been achieved by that group and they are a good example of thought leadership and information sharing. It is an excellent example for other likeminded groups. The collaboration that goes on around International certification providers, like that of the CISSP program at is another good example. While it’s not Canadian, the participants certainly put a Canadian identity to their contributions. Other virtual collaborative groups, such as the forum sponsored by Winnipeg’s Dan Swanson has Global reach in the Audit and Security spaces where there is no discernable cultural differentiation.

Associations like the Information Systems Security Assoc. (ISSA), Armed Forces Communications & Electronics Assoc (AFCEA), and the Federal Assoc. of Security Officials (FASO) all have the ability to drive this agenda. However due to the fact that they are regionalized and do not have the mechanisms in place to easily push a National agenda with cooperation between all the facets of Critical Infrastructure perhaps makes them ill-suited for the task.

The Crown has taken the opportunity to listen to the successes of other government bodies within the “trusted” community. They solicited advice from subject matter experts in Canada and abroad to listen and share their views on what would work best. There was discussion around the need for proper information management and categorization in the private sector, security clearances and the like that would facilitate a higher trust level.

Perhaps the truly workable solution is not one hosted or moderated by the Government. There are many public companies with the expertise and who share the Crowns concern that we need a better grasp of the security threats to Canada’s critical infrastructure. Many of these organizations are already set to participate, given they assisted the Crown stakeholders in the evolution that is Critical Infrastructure Protection in this Country. However, the Government of Canada should take a long hard look at what works. Perhaps a public/private/partnership will elicit the necessary mechanisms to make cross-sector information sharing, in the form of the US Information Sharing Analysis Centers or Infraguard possible.

It will take some investment, but anything is better than waiting another seven years for this part of a mandate to unfold.

We all lead busy lives. Many of us are, or have been, in relationships with partners with whom we don’t live in the same household. With that in mind, like any form of communication, texting has become a preferred means of communication. However, it can also creates problems in a relationship.

Although texting is a convenient technology and it’s usually faster and easier to send a text than to make a telephone call. It also affords some additional privacy, if you’re not in a position to make a call, depending on the subject matter of the conversation. However, you’re not getting the context of what’s going on at the other end–and that can create miscommunication.

Over the phone, you can tell how the person feels, through their tone, a pause, whether they are laughing or crying. With texting, you get none of that and it’s impossible to know how your significant other is reacting to what you’re saying on an emotional level.

Text messages can easily be misunderstood. It’s happened to me and I was astounded at how upset I got when I received a series of text and think it means something, but my partner meant something totally different.

Often fights and arguments ensue because of misinterpretation of text messages. It’s impossible to tell the difference between emotions like anger, sadness, sarcasm, sincerity within a text message. A person might be joking with their partner, and he or she interprets it as their partner being angry. Then texts or rather lengthy calls have to be exchanged to unravel the miscommunication.

The irony is that we see texting is a fast way to communicate, but when it leads to a misunderstanding in our relationships, it can take hours to undo the damage.

Another problem is while texting during an argument, continuing to text when a text message has created an argument.

In the middle of an argument, you can end up sending dozens of texts rather than doing the sensible thing and picking up the phone or meeting in person. Trying to resolve by text is easy to do, because it’s normal to be hopeful that you can clear it up in the next text, but it usually isn’t! You can end up spending hours texting back and forth when they should really just pick up the phone or meet in person.

The last thing you want to do is communicate by text in the middle of an argument. Just one bad misunderstanding coupled with intense emotions can lead to irreparable damage to a relationship.

Also, leveraging text messages to avoid conflict can also be concerning. I can appreciate that sometimes people are afraid to talk to their partner on the phone or meet in person when their partner is angry, because they think that will make things escalate, but texting often makes things worse.

The other problem with texting is expectations that a person’s significant other–or even someone they’re casually dating–will respond immediately to their text.

Now the expectation is that is that we’re supposed to be available 24-7 to our significant others, and respond immediately to their text messages. People get angry or think their partner is upset with them when a text isn’t returned promptly. ‘You didn’t respond to my text until an hour later!’ But we are not always available.

This is compounded by the unreliability of the technology, and the occasional text that doesn’t arrive until a couple hours later. There are some couples that like to stay in touch during the workday, but when there’s a delay in responding it creates conflict.

Some good advice is to not text at all unless it is a short positive message that can create bonding. Instead at some point during the day pick up the phone and say ‘hello.’ For extremely emotionally charged topics, it would probably be best to not text at all. It’s amazing how that alone can restore some stability.

I’m sure people have broken up over text messages, but it takes two to tango. If your significant other wants to text about important issues in your relationship, you can say ‘sounds important, let’s talk about it tonight, I don’t feel comfortable discussing this via text.’ Think before you text.”

Up to four Million of us in Ontario could have had our identities stolen and we still don’t know exactly what that data comprised. It’s about time that Departments and Ministries were held accountable by the public. Some finger pointing by Ann Cavoukian simply isn’t enough! Oh, by the way, if you live in the Ottawa South Riding, as I do, you’re impacted! The very least the Province should be doing is providing potentially impacted constituents with identity theft insurance to mitigate the risk they created!

There’s been a great deal of chatter around the recent City of Ottawa pension fund data breach.

The City hired Towers Watson to conduct a fund review and, while in the process of transferring the data, unencrypted I might add, to a new computer system, they discovered the hard drive was missing from a safe.

The identifying information of approximately 800 former City of Ottawa staff, including police officers, firefighters and their beneficiaries were impacted. Not a huge disclosure for anyone who keeps up on such incidents, but significant to the 800 former City employees who had their names, birthdates, social insurance numbers and pension amounts lost.

Now while Towers Watson has done its due diligence and sent letters indicating they will compensate these pensioners with a credit monitoring service, it is seemingly stalling until September to provide an update. This event occurred in May; six full months is required to investigate?

It’s important to understand that this breach did not occur in Canada. I know, we all like to think our private information is stored, in a secure fashion, within our own borders, but that was not the case for this group of 800, or for many other Canadians either.

The hard drive in question was being stored in the Philippines.

Again, the chatter in the security community is rife with the normal discussion around contract details and clauses that protect the client from these incidents, and so on. I have seen, read, written, counter proposed and laughed at 1000’s of these contracts over the years and one thing they fail to protect us from is insider abuse.

Having a mitigation plan, or a compensatory set of clauses in the event of an incident might help the two parties (the City and Towers Watson in this case) sleep better at night, but I bet the 800 impacted pensioners aren’t sleeping so well right now. Not with the worry of identity and possibly pension theft to mull over.

Some have indicated that in this age of evolving openness, transparency and the “age of networked intelligence”, that the important aspect is the need for “accountability”.

To a certain extent, that mantra is correct, but I would suggest that the City is fully accountable. They were the ones who decided to sign off on a contract with a vendor who has let this Personally Identifiable Information go across, not only the Canadian and US borders, but to the Philippines.

What verification and due diligence was there to ensure that the resources in the Philippines were trustworthy? All this rhetoric around open Internet is one of the base causes for breaches of PII in the first place. I’ve always stood my ground on the concept of keeping the data in Country when and if you can. There is absolutely no reason why the City of Ottawa could not have found this service in Canada. If they could not, the data could have been kept in Canada.

For the sake of argument though, if they had no other choice but to go outside the country, the due diligence from a privacy and security perspective should have been commensurate with the sensitivity of the data, as should have the mitigation plan and contract details. That said, we all know how poorly the City of Ottawa writes contracts! As a CISM for a Canadian Financial Firm, I face these challenges daily and I am sick of the spun stories, clauses and promises to keep data safe, only to see a meteoric rise in breaches!

Here is a link to the US government news release yesterday announcing US participation in the Asia-Pacific Economic Council’s cross-border privacy-rules system: I wonder how this stacks up against the Canada-US border deal that was the subject of news stories a few weeks ago, for example this one, titled “Border privacy pact puts personal info at risk, says privacy watchdog”: privacy pact puts personal info risk says privacy watchdog/6863413/story.html. The immediate subject of that concern is the “Border Action Plan: Joint Statement of Privacy Principles”, as announced in a Public Safety Canada news release at:

These efforts outline a set of privacy principles, which of course translate into security controls, that are intent of committing to protecting privacy and ensuring safeguards are in place. There are a dozen of them, all grand to read and give me that warm and fuzzy feeling I need to help me sleep at night.

However, the devil is in the details. While the Governments of Canada and US may consider this a step forward to helping the economic flow, here in Canada I’d suggest we get our legislative ducks in line and provide some additional oversight and prescriptive controls to ensure that Canadian infrastructure, critical or otherwise, enables itself to participate in such grand partnerships.

Then, when it comes time to prepare and review contracts, they will be solid enough for the ink. Moreover, 800 pensioners wouldn’t have to worry about their future!

While LinkedIn indicates that it is still investigating,  I can attest from even more reliable sources, that anyone using LinkedIn should immediately change their password. They have suffered a breach of over 6 Million accounts. Here is my experience yesterday, where my Gmail account is noted on my LinkedIn profile, attempts were made against that account yesterday, resulting in Google forcing a password change (they monitor for account breaches). I don’t believe in coincidences, so that password was changed as well.

One particular piece of advice, NEVER use the same password for multiple accounts!!! I cannot repeat that enough, especially for cloud based services; NEVER!!

From LinkedIn, one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites. Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy.

Here are some account security and privacy best practices that we recommend for our members:

Changing Your Password:

  • Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
  • You can change your password from the LinkedIn Settings page.
  • If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
  • In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.

Creating a Strong Password:

  • Variety – Don’t use the same password on all the sites you visit.
  • Don’t use a word from the dictionary.
  • Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
  • Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
  • Complexity – Randomly add capital letters, punctuation or symbols.
  • Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
  • Never give your password to others or write it down.

A few other account security and privacy best practices to keep in mind are:

  • Sign out of your account after you use a publicly shared computer.
  • Manage your account information and privacy settings from the Profile and Account sections of your Settings page.
  • Keep your antivirus software up to date.
  • Don’t put your email address, address or phone number in your profile’s Summary.
  • Only connect to people you know and trust.
  • Report any privacy issues to Customer Service.

Medical Device Security Trends

Posted: February 9, 2011 in IT Security

In Canada, the following article (two sources noted below) makes me reflect about where exactly is the demarcation point between the integrators responsibility to integrate a security and private Electronic Medical Record solution and the physician’s responsibility and accountability for the security and privacy of the information they process on a day to day basis.

I’ve long observed that doctors are often irritated with the myriad of privacy and security consideration that IT solutions bring into their practices. However, in making the decision to adopt an EMR solution, you frankly have no choice. To point the finger at your vendor and suggest that they are responsible end to end simply won’t work. Docs have to enforce their  share regarding the people, process and technology within their practice, otherwise security and privacy incidents affecting patient data will continue.

Ensure you have a solid security and privacy policy, Ensure you educate and inform you staff about it. Ensure you have hard disk encryption on any storage device you use to manage patient data. Don’t use personal web-mail addresses and the like, Think about two-factor authentication, etc. The list goes on.

Doctors, take a long look and have a hard think about the risks you assume when you use a smartphone, like an iPhone or Android just because of the cool medical apps. Think twice about using it or an iPad for processing practice or patient data, as they have no real inherent security mechanisms. If you intend on using them, look at solutions like Mobile Active Defense, to provide the secure means to properly leverage these assets in your practice. or,

Just think about the aggregate intelliegence value to marketers, governments, and criminals that  FaceBook, MySpace, etc have to offer. It should be significant enough pause to rethink the personal info you share. Posts are never deleted for those who can see them at the backend and with lawful access legislation, especially in the US, UK, France, Aus, etc, governments are now scraping the web for any items of interest with the help of Internet Providers that are facilitating the service. Caveat Emptor!

While it’s a rehash of Bill Brenner’s, of CSO Mag, list, I think it’s a valuable list for any of you tweeps out there looking for some insight in 140 characters or less. Here the are:

@SecBarbie @ashimmy @beaker @falconsview @georgevhulme @jack_daniel @jtkeating @mgbits @SecRunner @WH1T3RABBIT @bug_bear @spacerog @myrcurial @benrothke @jjx @dewzi @danielkennedy74 @lauren @selenakyle @wardspan

@leighhollowell @petermannmc @Shpantzer @rybolov @csoandy @e_cowperthwaite @grecs @wikidsystems @lmwalsh2112 @PHYSECTECH @BrianHonan @kriggins @MikD @WeldPond @mckeay @ken5m1th @leighhollowell @petermannmc @hinesmatt @SecureSun @mmurray @dacort

@adamshostack @RafalLos @agent0x0 @rogueclown @alexhutton @joshcorman @armorguy @quine @rmogull @treyford @gattaca @mckeay @andrewsmhay @burgessct@mschafer @0ph3lia and @lmacvittie @hypatiadotca @451wendy

@tottenkoph @stacythayer @pauldotcom @donicer @aloria @SilverstoneA @DeathwishDuck @SecurityBSides @NAISG_atl @quadling @kidko92 @lennyzeltser @sans_isc @nickf4rr @jeremiahg @dakami @shrdlu @jsokoly @adamely

Wikileaks is not Open Gov!

Posted: December 27, 2010 in IT Security

So Michael Moore is throwing money into the bail fund for Julian Assange. Moore makes some very wild-assed speculations in his comments, but I’m sure there will be a buck in it for him down the road.

Why would anyone think that Wikileaks methods are the right way to enable an open government?

What gets me is this bloody sense of entitlement many have. You think you’re entitled to every document that your Government processes. There are laws in place to protect certain information for very good reasons. No different than you’re not supposed to run stop lights, steal a car, or walk up to a cop and punch him in the face should you be stealing Government (or corporate) documents and feeding this beast. It’s against the law. If you want the law changed, Wikileaks isn’t the way to do that!

Moreover, we still do not know the methods Wikileaks employs to get its content. Is it paying people? Do they actively recruit and subvert? That possibility exists as well. So let the other mechanisms of Government determine all that before you start writing cheques for Assange!

25 Year Anniversary

Posted: December 12, 2010 in Miscellania

Today marks the 25th Anniversary of the loss of 256 souls on board Arrow Air Flight 1285 in Gander, Newfoundland that marked the loss of 248 members of the 101 Airborne.

Details are here: Wikipedia:

I was serving in Gander at that time. The evening prior we had celebrated our Junior Non-Commissioned Officers Christmas Dinner and by the time I hit the rack, I was feeling no pain. In the morning, having had a bite to eat and boarding the morning run to our operations building, we were turned around by the dispatcher due to an emergency back on base.

The following 4 days were a blur do to security details, bagging and tagging dead soldiers, extracting charred remains from various components of the planes broken pieces and facilitating various duties to ensure the comfort of the 101 Airborne members who came to set up the morgue and begin the laborious process of identification and return of these men back home to their unit and families.

Without getting into gruesome details, it is an event I would not want to do again, but volunteered to do it gladly at the time.

My thoughts and prayers are with the families of those fine men and the crew of the aircraft today. May you all be resting peacefully in the knowledge we all appreciated your ultimate sacrifice.