Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

Uncle Sam doesn’t have a clue on data privacy, cyber crime laws, and neither do we!

©2011 Braydon Fuller

©2011 Braydon Fuller

The point of the article that is the source of the quote below is exactly right: there is no consistency, cohesiveness, or harmony with the cyber crime and data privacy laws. I believe there are several reasons but these are the two that are most prominent:

  • The cyber crime and data privacy laws are a patchwork collection of laws that have been enacted based upon reactionary fears over a vast amount of time, each in response to a particular “concern of the day” without taking into account the other laws or the possible evolution of the issues and technology they seek to redress. Imagine trying to paint a painting after blindfolding yourself and then only using “dot by dot” with the tip of the brush to make the painting — no strokes (seriously, try it).
  • We, as a society, do not yet know what we really value.
    • On one hand, we want to protect our own information when it is in the custody of others yet, on the other hand, also disclose much of our own information through public channels yet keep others from using that information for purposes we do not like.
    • On one hand, we want to protect other people’s information yet, on the other hand, we want to freely exercise our perceived rights to free access to information (even when it may legally belong to others).
    • On one hand, we want to have a secure information system that allows for vibrant eCommerce that is protected by laws prohibiting people from “hacking” that information, yet on the other hand, we want to protect the rights of the good “hackers” who do security testing and are necessary to ensure that information system is secure.
    • On one hand, we want to punish those who have our information, try to protect it, yet have others hack them and steal it while, on the other hand, support those who are hacking to steal such information, while, on yet another hand (or foot), freely give our information to others and then punish them for using it in ways we do not like.
    • … and the list could go on … (for more, see Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue?)

Anyway, here is the article that got me thinking about this at 4:00 in the morning:

Uncle Sam has gotten his wires crossed on internet data privacy. A hacker went to prison for exposing private customer information that AT&T failed to protect from online access. Now U.S. prosecutors are defending their right to do essentially the same thing in the Silk Road drug-website case. Anti-hacking laws are tough to take seriously when even enforcers can’t decide what’s allowed.

via Uncle Sam gets wires crossed on data privacy.

3 Steps the C-Suite Can Take to Strengthen Cyber Security

NTCC 1The C-Suite is ultimately responsible for failures of a company’s cyber security. A recent example of this is how Target’s CEO, CTO, and several Board Members were pushed out in the wake of its data breach.

SEE BELOW FOR EVENT REGISTRATION!

This puts leaders in a difficult position. It is almost a statistical certainty that every company will suffer a data breach sooner rather than later. Does that mean that most C-Levels and Directors are on the verge of losing their positions because of a data breach? Does it mean that their careers and future are now out of their control?

No, it does not have to mean either of those things. There are steps leaders can take to help minimize the risk of these things happening, both to themselves and their companies.

Leaders will be Judged, but by What Standard?

Because statistics show that virtually all companies will eventually suffer some form of data breach, the standard by which their leadership is judged is not whether their company did or did not suffer a data breach. That is now a given.

Rather, the standard is whether, prior to a breach, the company had taken reasonable steps to protect its systems and data and whether it made appropriate plans to respond and mitigate the effects of such a breach.

Because the risk is foreseeable, the question is one of preparation. That is, did the leaders act reasonable in preparing their companies now that they are aware of the risks their companies face. If they did, they have much better odds. If they did not, they will be judged harshly.

How can leaders help prepare their companies for these challenges?

The 3 Steps

To prepare their companies, the C-Suite must show leadership on this issue by setting a tone for the company and establishing a culture of compliance when it comes to cyber security. This must come from the top down. There are three steps that leadership can take that will help create that culture:

  1. Leadership must truly care about cyber security and the digital business risks their company faces;
  2. Leadership must show its concern and commitment by dedicating appropriate resources for cyber security and minimizing digital business risks; and
  3. Leadership must listen to those responsible for, and who work most closely with, cyber security issues. By listening, leadership reaffirms its concern and commitment to a culture of compliance for cyber security. Leadership also increases its knowledge and understanding of the nature of the cyber security threats and the digital business risks the company faces.

Where Can Leaders Start?

The starting point for members of the C-Suite and Boardroom is to gain a better appreciation and understanding of the risks their companies face. There is a great opportunity for them to do this by attending an upcoming seminar sponsored by the North Texas Crime Commission.

The seminar, Strengthening the Weak Link: Cyber Security Essentials for the C-Suite, will be held at the George W. Bush Institute at Southern Methodist University on October 16, 2014.

The keynote speaker will be Tom Ridge, former Secretary of Homeland Security. There are several other notable speakers who will be sharing their knowledge of these risks, including members of the cyber units of the FBI, Secret Service, United States Department of Justice, and many others.

Register for the event on Eventbrite by clicking HERE! 

NTCC Cyber Security SeminarNTCC 3

NTCC 4

Supreme Court: Private Information Is Worthy of Protection, Even on Cell Phones

In Riley v. California the Supreme Court made it clear that people’s private information is worthy of protection, even on their cell phones, in holding that cell phones are generally protected from searches without a warrant. 

The Supreme Court ruled Wednesday that police cannot go snooping through people’s cell phones without a warrant, in a unanimous decision that amounts to a major statement in favor of privacy rights.Police agencies had argued that searching through the data on cell phones was no different than asking someone to turn out his pockets, but the justices rejected that, saying a cell phone is more fundamental.

The ruling amounts to a 21st century update to legal understanding of privacy rights.

“The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought,” Chief Justice John G. Roberts Jr. wrote for the unanimous court.

“Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple— get a warrant.”

via Supreme Court bans warrantless cell phone searches – Washington Times.