paul@paulmisner.com

Sometimes, I’ll have a conversation with my customers that is very relevant, and I’ll  feel that it makes sense to pass the conversation onto others. 

Last week was just such a case. I had a meeting with the CISO of a government agency and his staff. The conversation covered a number of topics, including Web 2.0 security, and  protecting sensitive information, including personally identifiable information (PII).  I felt all of the conversation was valuable, but I thought that I’d cover the portion of the conversation related to blogging for this article.

The conversation revolved around blogging and wikis, both internally and externally, and protecting sensitive information being leaked from or by blog and wikis.

Different scenarios were discussed, including blogs designed solely for internal use, blogs designed for external use, and blogs which recieve contect from external users.

Internal Blogs: Aren’t internal blogs and wikis, sitting behing the firewall, with limited access, protected? Here’s the paradox! While the blogs themselves are protected, the data sitting on those blogs is now centrally located, and arguably more of a target.  By setting up a permitted platform to allow information sharing, you’ve also set up a central repository of sensitive and valuable information.

You can protect the information found on internal blogs from exiting your organization in an inappropriate fashion by using data loss prevention (DLP) data fingerprinting on the underlying database.  Adding fingerprints to the DLP database provides a way to identify wiki/blog data that is being used inappropriately (i.e. someone tries to email this data to an external party), and stop its transmission. Technologies like Websense’s patented PreciseID (TM) can provide fingerprinting technology that is fast, reliable, and secure.

Blogs for external use:  Data leakage to external blogs could be a problem as well, as authors mistakenly publish sensitive material to a public facing website.

DLP provides a way to identify and stop data deemed sensitive or personal in nature. By setting up a policy that monitors the blog web interface, an agency can minimize the risk of sensitive information being exposed accidently.

Sensitive Data and PII Being Placed on Blogs from the Outside. In this scenario, users post information that compromises their own PII or sensitive information on an agency website.  For example, a Veteran uses a blog application and sends their SSN or medical records, not realizing that it would be exposed publicly.

In this case, the author’s comments are sent to a queue, pending acceptance from the publisher. DLP discovery could be used while this information is sitting in the queue, and if there is sensitive information, warn the publisher and other interested parties.

The publisher of a blog document has another potential issue. During the check for validity of a link in a message, the publisher could also expose her workstation to malware. The threat from this type of attack could be reduced by using something like Websense’s Defensio service.  Also, Websense Security Gateway can provide real-time analysis of the content of a URL string, and block it if the content is deemed malicious or inappropriate.

This was a good example of the conversations that Websense is having with our Federal Customers. We are providing practical solutions to difficult problems.

If you are interested in having a similar conversation regarding your agency’s information assets, please contact me at 410-740-3490 or pmisner@websense.com

www.defensio.com  Websense Defensio
www.websense.com/wsg  Websense Web Security Gateway
www.websense.com/dlp  Websense Data Security Suite

Communications, Information Security, Management

If you are concerned about your agency’s
information security, I’d encourage you to take a look at one of the
two reports that came out last week regarding the cyber attack on the
Office of His Holiness, the Dalai Lama.

(Overview: Video http://www.youtube.com/watch?v=tnK0s6aWzCM,
Text http://government.zdnet.com/?p=4498 )

The Dalai Lama’s organization  made the analysis
public, which is unusual for an information security breach of this
nature.   The reports are available at

http://documents.scribd.com/docs/1jiyoq3c13a9a4udh2s7.pdf

and http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

It could be argued that there is nothing new in the findings in terms
of attack vectors, exploits, and payloads. What can’t be argued is that
this was a highly structured attack after specific high-level
targets.  This attack is similar to those we’ve seen at many
Federal Civilian Agencies.

One of the big differentiators I saw in this attack was the use the
content of legitimate outbound emails as a way to strengthen the target
profile. The attackers took the content of legitimate outbound emails,
and added malicious payloads hidden in Word and Acrobat
files.  There was no distinction between the text of a
legitimate email, and a compromised email, because they were written
with the same exact text.

The reason that the web and email are exploited as attack vectors is
that these vectors allow non-security personnel to essentially make
network access control decisions. It’s the user that makes the decision
to click on the URL or download the application to their desktop. In
the past, many security people have felt that the problem with web and
email security was due to users who didn’t understand or care about
network security. The Dalai Lama attack shows that there are web and
email based attacks that even the most vigilant and knowledgeable
security person would not be able to determine on face value.

I was enthusiastic about the analysis and detailed forensics in this
report. But it was painfully obvious to me that these reports fell
short when it came to providing solutions.  Some of the
recommendations were to use user based access controls, like SeLinux,
which arguably are very difficult to implement in any environment that
interacts with the outside world.

Preventing attacks like these is the reason why talking to Websense
should be required for your organization. Websense has the technology
to minimize exposure to these sophisticated, multi-channel
attacks.

• Websense Web Security Gateway can categorize, analyze, and inspect
  both known and unknown URLS, including those that contain malware and
  spyware. We can identify zero-day exploits, and provide protection
  before anti-virus definitions or patches are created. It is all but
  certain we would have blocked the links that contained the malware in
  this investigation.

• Websense Data Security Suite can discover, monitor, and protect
  sensitive agency information from being disseminated
  inappropriately.

• Websense Email Security can remove suspicious URLs in the
  cloud,  even before they bridge your network

If your agency is concerned about these types of attacks, it would be
beneficial to talk with my engineers and myself.  To schedule
an appointment with my team, please call  me at
410-740-3490, or email
pmisner@websense.com

• See reports and videos on Websense Security Gateway
  at  http://www.websense.com/wsg

• Information on Websense Data Security can be found at
  http://www.websense.com/dss

• Information on Websense email can be found at

  http://www.websense.com/content/HostedEmailSecurity.aspx

Communications, Information Security, Spirituality

I am a big fan of Vital Smarts books, training, and CD’s. Their first book, Crucial Conversations, contains essential skills needed for success working with other people. It was only later in my studies that I realized that Vital Smarts borrowed liberally from the world of non-violent communications studies.

http://www.amazon.com/gp/mpd/permalink/mH3Z4ME6TBUY2/ref=ent_fb_link

I wasn’t as enthused about the second book, (Crucial Confrontations), but felt it was worthwhile nontheless. I view it as a supplement to Crucial Conversations, which focuses mostly on the having conversations when there is a confrontation at stake.

Well, I’m extremely happy to say that Vital Smarts new book, Influencer – The Power to Change Anything, is not an example of the law of diminishing returns. This book is arguably the best thing coming out of Vital Smarts.

This book is a study of what works in the field of Influence, and borrows from social and positive psychology, management, sociology, and non-violent communications. The folks from Vital Smarts borrow from everybody, but come up with something that is cohesive, unique, and effective.

Mixed in with the data, are numerous examples and case studies that serve not only clarify the content, but make the book an easy read as well.

This book is a must read, (or a must listen to), if you want to understand the tools to make change in your life, your company, and your world. Whether you’re trying to lose weight or reduce disease progression in an impoverished country, Influencer has something for you.

www.vitalsmarts.com

Communications, Leadership, Management, Marketing, Sales

As part of a real eclectic reading and training schedule, I’ve been reading The Game: Penetrating the Secret Society of Pickup Artists, By Neil Strauss, and auditing a course PACS 164A, Introduction to Non-Violence, taught by Michael Nagler at UC Berkeley. What has interested me about both of these topics is their approach to communication, and also the end results they get, primarily because of the original goals of these communications.

The Pick Up Artists (PUAs) in the Game are interested in using communication technologies and skills, such as Nuero Linguistic Programming and various psychological games, with one end in mind, to have sex with lots of women.  Neil discusses in detail some of the tactics, but he is also objective enough to discuss the blowback. These PUAs often end up being very shallow, single focused people who are unable to have trusting, long term relationships with partners of either sex.

Intro to Non-Violence focuses on the non-violent movement largely through the methods of Ghandi and King.  The course addresses non-violent principles and history, largely avoiding specific tactics.

The nature of the Game is on person to person communications, while PACS164A focuses on methods that change group thinking. The focus on group thinking is largely because of the focus on Ghandi and King.  But many of our day to day communications and negotiations could be improved by incorporating some of the principles of non-violence.

I think that the Non-Violence movement could actually learn from the techniques of the Pick Up Artists. Non-violent principles are also very important in person to person communications, and a lot of the work of Ghandi involved the coordination of smaller non-violent activities to achieve a major goal. By incorporating techniques like NLP into the non-violent toolkit, the movement could have more success in changing minds and understanding the motivations of their adversaries.

Pick Up Artists could also learn from the Non-Violent movement about using their skills for something less shallow than getting sex, and end up being more rounded people.

Communications