The Professional

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"

A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process.  Her bosses cut the researcher's pay and reduced her status to associate from full professor.  The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.

"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."

Working in the Public Interest

I believe that there is a another option.  Some folks are in charge of security but are not liars, but are incompetent.    And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said "I have no way of telling if the books were correct.  I trusted the accountant.  He was an experienced bank teller" what would be the response.  Why didn't you hire a forkin' CPA?  CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.  

No so with security folks.  Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your  accounting records?  

I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post.   

Fingertips

From today's Austin American Statesman, this article discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn't).
There are lessons to be learned at Texas HHSC.
Starting here:

The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers' time. The state and federal governments split the cost.

Last year, the fingerprint program led to the state investigating just four applicants for fraud.

But state officials say it's impossible to know how many people are deterred from applying multiple times because of the fingerprinting.

But later in the article:

The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.

I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor's response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is "no way of knowing" the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don't try to measure the change post implementation, how do they know it's working?

On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don't have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost.

You tell 'em Stevie.

Data Rustler

The best thing to come out of the Texas Lege since....ever.
A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)

But I'm not talking about the law, but the language of the lawmaker. From the Austin American Statesman -

"[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.

“Yes, it’s going after data rustlers,” he said."

DATA RUSTLERS! YES! I now abandon "hacker," "cracker," "identity thief," and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.

Impacted Molars: Pay Hell Gettin' It Done Edition

Random Eye-tooth:
I've been reading the Counterinsurgency Manual, and I'm figuring there is some analogue to a corporate approach to minimize the "insider threat."

Extraction:
Mr. Loblaw describes a grisly example of privacy abuse in a recent decision du jour, selecting the choicest text of a 6th Circuit decision so I don't have to. But I will.

As the plaintiffs’ complaint explains, prisoners have threatened and taunted the officers, often incorporating the plaintiffs’ social security numbers (which they have committed to memory) into the taunts. Some prisoners wrote the social security numbers of some of the plaintiffs on slips of paper that they threw out of their cells.

Now that's what I call abuse of NPI, a sort of SSN gassing. But do the plaintiffs get relief? No.

[T]he guards’ social securities numbers are not sensitive enough and the threat of retaliation from prisoners was not substantial enough to warrant constitutional protection.

Ride the NPI Country:
Courtesy the continual compendium of outrages privacy related, i.e, Pogo, come this story hashes ID crime stats. The conclusion it appears to draw is that Big Sky Country is a den of ID thieves. All the big increases in identity crime occur in North Dakota and Montana, with the notable exception of Springfield, IL, which can be attributed to Groundskeeper Willie and Apu. Considering that there are more people in my MSA than all of Montana or North Dakota, I wish I could get a thorough look at the stats. Not so bad that I'm going to request data from a "marketing@" e-mail address, which ID Analytics requires.

Computer Security for Trainables:
From the Chronicle tech blog, the winners of Educause's security awareness video contest. I dunno. These videos will not be a part of my infosec counterinsurgency program. No beat, can't dance to 'em.


Bonus:
"Sweet fancy moses": the whole shocking story. Discuss.

Dog of War or McGriff the Crime Dog?

So, solider or cop? War or Crime? Or both?

I ask this question of my own self after reading (and enjoying) Michael C. W. Research's recent posts on security framed in the context of Clauswitz. Thinking it through, though, I began to wonder if war is the context information security should frame itself. After all, as an info security practitioner, you are denied both first strike and retaliation with like force. Hampered by a bureaucracy, limited by budget and laden with metrics of questionable value, you perform awareness and outreach to a resistant, often resentful community that harbors potential adversaries. When the adversary attacks, your response is defensive, forensic, and heavily regulated. In the initial analysis, it sounds more like a cop than a soldier.

Like Mr. Peterson, I recently finished reading Robb's Brave New War. Robb describes the decline of wars between states or their proxies and the rise of the global guerrilla. The global guerrilla uses system disruption and open source warfare to break down the brittle security systems of organized and highly interdependent states. Mobile and rapidly adapting to changing tactics, this adversary is usually hidden in the state it is trying to hollow it out, cooperating with or participating in transnational organized crime. Now that threat sounds more familiar; Robb describes the phishing marketplace as a example of open source warfare.

Is War now Crime? Is the infosec defense model Clear Hold Build or Broken Windows?