Last week was just such a case. I had a meeting with the CISO of a government agency and his staff. The conversation covered a number of topics, including Web 2.0 security, and  protecting sensitive information, including personally identifiable information (PII).  I felt all of the conversation was valuable, but I thought that I’d cover the portion of the conversation related to blogging for this article.

The conversation revolved around blogging and wikis, both internally and externally, and protecting sensitive information being leaked from or by blog and wikis.

Different scenarios were discussed, including blogs designed solely for internal use, blogs designed for external use, and blogs which recieve contect from external users.

Internal Blogs: Aren’t internal blogs and wikis, sitting behing the firewall, with limited access, protected? Here’s the paradox! While the blogs themselves are protected, the data sitting on those blogs is now centrally located, and arguably more of a target.  By setting up a permitted platform to allow information sharing, you’ve also set up a central repository of sensitive and valuable information.

You can protect the information found on internal blogs from exiting your organization in an inappropriate fashion by using data loss prevention (DLP) data fingerprinting on the underlying database.  Adding fingerprints to the DLP database provides a way to identify wiki/blog data that is being used inappropriately (i.e. someone tries to email this data to an external party), and stop its transmission. Technologies like Websense’s patented PreciseID (TM) can provide fingerprinting technology that is fast, reliable, and secure.

Blogs for external use:  Data leakage to external blogs could be a problem as well, as authors mistakenly publish sensitive material to a public facing website.

DLP provides a way to identify and stop data deemed sensitive or personal in nature. By setting up a policy that monitors the blog web interface, an agency can minimize the risk of sensitive information being exposed accidently.

Sensitive Data and PII Being Placed on Blogs from the Outside. In this scenario, users post information that compromises their own PII or sensitive information on an agency website.  For example, a Veteran uses a blog application and sends their SSN or medical records, not realizing that it would be exposed publicly.

In this case, the author’s comments are sent to a queue, pending acceptance from the publisher. DLP discovery could be used while this information is sitting in the queue, and if there is sensitive information, warn the publisher and other interested parties.

The publisher of a blog document has another potential issue. During the check for validity of a link in a message, the publisher could also expose her workstation to malware. The threat from this type of attack could be reduced by using something like Websense’s Defensio service.  Also, Websense Security Gateway can provide real-time analysis of the content of a URL string, and block it if the content is deemed malicious or inappropriate.

This was a good example of the conversations that Websense is having with our Federal Customers. We are providing practical solutions to difficult problems.

If you are interested in having a similar conversation regarding your agency’s information assets, please contact me at 410-740-3490 or pmisner@websense.com

www.defensio.com  Websense Defensio
www.websense.com/wsg  Websense Web Security Gateway
www.websense.com/dlp  Websense Data Security Suite

(Overview: Video http://www.youtube.com/watch?v=tnK0s6aWzCM,
Text http://government.zdnet.com/?p=4498 )

The Dalai Lama’s organization  made the analysis
public, which is unusual for an information security breach of this
nature.   The reports are available at

http://documents.scribd.com/docs/1jiyoq3c13a9a4udh2s7.pdf

and http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

It could be argued that there is nothing new in the findings in terms
of attack vectors, exploits, and payloads. What can’t be argued is that
this was a highly structured attack after specific high-level
targets.  This attack is similar to those we’ve seen at many
Federal Civilian Agencies.

One of the big differentiators I saw in this attack was the use the
content of legitimate outbound emails as a way to strengthen the target
profile. The attackers took the content of legitimate outbound emails,
and added malicious payloads hidden in Word and Acrobat
files.  There was no distinction between the text of a
legitimate email, and a compromised email, because they were written
with the same exact text.

The reason that the web and email are exploited as attack vectors is
that these vectors allow non-security personnel to essentially make
network access control decisions. It’s the user that makes the decision
to click on the URL or download the application to their desktop. In
the past, many security people have felt that the problem with web and
email security was due to users who didn’t understand or care about
network security. The Dalai Lama attack shows that there are web and
email based attacks that even the most vigilant and knowledgeable
security person would not be able to determine on face value.

I was enthusiastic about the analysis and detailed forensics in this
report. But it was painfully obvious to me that these reports fell
short when it came to providing solutions.  Some of the
recommendations were to use user based access controls, like SeLinux,
which arguably are very difficult to implement in any environment that
interacts with the outside world.

Preventing attacks like these is the reason why talking to Websense
should be required for your organization. Websense has the technology
to minimize exposure to these sophisticated, multi-channel
attacks.

• Websense Web Security Gateway can categorize, analyze, and inspect
  both known and unknown URLS, including those that contain malware and
  spyware. We can identify zero-day exploits, and provide protection
  before anti-virus definitions or patches are created. It is all but
  certain we would have blocked the links that contained the malware in
  this investigation.

• Websense Data Security Suite can discover, monitor, and protect
  sensitive agency information from being disseminated
  inappropriately.

• Websense Email Security can remove suspicious URLs in the
  cloud,  even before they bridge your network

If your agency is concerned about these types of attacks, it would be
beneficial to talk with my engineers and myself.  To schedule
an appointment with my team, please call  me at
410-740-3490, or email
pmisner@websense.com

• See reports and videos on Websense Security Gateway
  at  http://www.websense.com/wsg

• Information on Websense Data Security can be found at
  http://www.websense.com/dss

• Information on Websense email can be found at

  http://www.websense.com/content/HostedEmailSecurity.aspx

So it amazes me why Data Loss Prevention isn’t being adopted quickly by every government agency who has data security as a priority. IDS/IPS, firewalls, AV, web security, all have their place, so do things like properly patching, certifying and accrediting hardware. But none of these technologies provide agencies with WHAT THEY NEED MOST, a data-centric view of their network, and the abilitiy to view agency data business processes.

The biggest crime today against US companies and government agencies today is data theft. Arguably, data loss by legitimate users may be a bigger problem. It’s easy to find examples of goverment agencies who have suffered from serious breaches of data loss, due to accidental or non-malicious misuse. Many of the security people at the top lost their jobs. And they should have. An event that happens once should be a lesson learned. After a breach happens, if no compensating controls are planned and implemented, then the person responisible is negligent and/or incompetent.

What no IPS or Firewall Can’t Do.

IDS and Firewalls protect access inside and outside the network, but this protection is network based, and is pretty good at stopping attacks from the outside.

In today’s data centric environments, that is not enough. A hardened firewall or properly tuned IPS can not protect against the accidental emailing of data from a known user. It can’t stop data that should have been encrypted before going out. It can’t stop transmission of sensitive data to open chat, peer, or webmail sites.A Firewalls are no protection for sensitive data going to the websites or IP addresses of our enemies.

It can’t do these things because while firewalls and IPS are protocal and packet smart, THEY ARE DATA DUMB. Firewalls and IPS can’t determine where sensitive data resides on the network. Firewalls provide no way of catagorizing sensitive data. IPS doesn’t see where data is coming from, and where it is going to, what the data is, and how it’s being sent. A good DLP architecture will prevent against this.

At the core level, DLP looks at suspicious data, and provides a way to identify, monitor, and protect that data., DLP is more valuable from a higher level of abstraction. DLP identifies the underlying business problems causing sensitive data to be misused.

DLP can be used to identify who, what, where, when, and how sensitive data is being transferred. Your security investigators and privacy staff can focus on why and was. “Was this something that we didn’t think of when we created our privacy policy? “Why was this policy violated?” “Was this something that could have been avoided?” “Is this a problem that can be fixed with automation, training, or a control mechanism.” “Was the intent of this attach malicious?”

It only takes one email, one chat session, or one peer to peer data exchange to lose data.

Remember, it’s not just about PII! Depending on your agency, a person’s or company’s financial future could depend upon the proper security of your data. At some agencies, data protection is literally a matter of life and death.

The problem this agency faced was that there was no technology in place that could look at sensitive data from a business process level. There was no technology that could understand what sensitive data was, where it resided, and how it was being used. There was no technology in place that could have identified and stopped the inappropriate use of sensitive data. And there should have been.

How the Plan Could Be at Risk

The stimulus plan focuses on innovative ways to improve government, including

* electronic patient records,
* new technologies to foster energy independence,
* and improved transparency of spending.

All three of these initiatives have something in common; The release of sensitive information could derail the adoption and/or continuation of these initiatives.

One of the benefits of patient records is also one of the greatest fears of patient records; Patient records are much easier to access. What happens if the technological advancements that our taxpayers fund become a competitive advantage to another country due to a data leak? Will be decide to become less transparent fiscally if sensitive data gets mixed in with data in the public domain?

The security issues mentioned above are largely transparent to the traditional arsenal of network based security products. In order to protect against these types of risks, Data Loss Prevention Technologies need to be implemented.

It’s time for Data Loss Prevention

It’s been over two and a half years since the Office of Management and Budget issued memorandum MO6-16, which “requested” that all government agencies deploy data encryption on hard drives. At that time, Data Loss Prevention was in its infancy, and probably not pragmatic for large government agencies. DLP is here now. It’s real, it’s solid, and it works.

MO6-16 pretty much solved the issue of data loss from the lost laptop. If a drive is lost, it’s encrypted, end of story. However, once those laptops are turned on, it’s a different story. Disk encryption does nothing to protect data in motion. Data encryption can’t protect against the user who sends information to the wrong party, or who posts private information on a public website. Neither can IDS, Firewalls, AV. These types of problems can be identified and remediated using DLP.

Federal IT organizations have limited resources, and the decision to use Disk Encryption was escalated in the budget process due to MO6-16. A similar sense of urgency needs to be applied to Data Loss Prevention, and this could be accomplished by amending this directive.

Download the information pack

To get your data loss prevention buyer’s guide, click here

 This package includes

* Data sheets for Websense Data Security Suite
* 2 Data Loss Prevention Buyer’s Guides
* Reports from Forrester and Gartner.

Talk to me.

I’d welcome a chance to hear from you as well. I’d be happy to walk through the technology, and provide you with overview of Websense’s Data Loss Prevention Suite.

I really love my job, but there is a lot of paperwork. A lot, a whole lot, and I like to be making calls, and going to meetings. And the thing that the always, systematically fell through the cracks were expense reports. Unfortunately, late expense reports really upset my Senior VP, and it’s not so great to be on his radar for something like this.

I did a review of “The 4 Hour Work Week”, and have glanced at Friedman’s “The World is Flat”. Both of them wrote about virtual assistants. Could a VA be the answer to my problems?

II wasn’t new to the idea of outsourcing. I’ve used an online outsourcing service for contract jobs for a long time. I had some website work done, a virtual demo lab made, a custom app made for my phone, and I had very good results (with the exception of a project that was abandoned). So moving to a virtual assistant didn’t seem like a bad idea.

Because of the nature of my work (selling to the Federal government), I decided to employ someone who was worked in the US. I found a woman who worked out of Oklahoma, who quoted me a rate of $7/hour. What a bargain, I thought.

Especially when I did the math. Paperwork is really expensive in terms of a salesperson’s time. In order to make my quota, I need to be producing $10,000 an hour in the two hours or so I get a day to to make calls. If I get one more hour a day of free time, that’s $1.25 million more revenue to my company.

For a while, it worked very well! I sent out my expense reports, had her do some other reports, research, and various other jobs, and it was great being able to sell again. I was on the phone, making more appointments, and getting more revenue. It felt like it was a very cost effective move for me. And I was doing the parts of my job that I love, and delegating the things I didn’t care for.

It went very well for about 4 months or so, then things started going south. There were the excuses, problems with equipment, illness, etc. Then it became harder and harder to reach her. And then she all but disappeared.

Unfortunately I was working without a net. My receipts were going to her, and I neglected to make copies for myself. When the assistant went MIA, I had approximately $4K of receipts in her hands, stalled, and I was unable to rescue them. Despite calls and pleas via email, I didn’t get a response. (I knew she was reading the emails I sent her, because they were tagged with receipts).

In desperation, I sent an email with the title “Quick action needed for $50 bonus.” Not surprisingly, I got a response in about 20 minutes. I requested for her to send me back any receipts and paperwork still in her custody, and if she got them back by a certain date, I would give $50.

The story I received from her was that she had a miscarriage, and she was not handling it very well. I certainly felt sorry for her, but not getting those receipts in a timely fashion put me in a world of hurt. I certainly got chewed out by my Senior VP, and as of today, it’s up to his mercy if I get reimbursed. I consider it a $4K lesson learned.

In retrospect, I made a lot of mistakes, and there were warning signs that I should have recognized that should have told me to get out of this arrangement. If you are thinking of employing a virtual assistant, here are some tips.

* Make copies of anything that is time sensitive and/or not replaceable. If I had done that, I would have had a valuable safety net against failure.

* If your personal assistant blogs, READ THE BLOG. When I read the assistant’s blog, I not only found a whole lot of grammar and writing problems, but I also got a chance to read about her arguments with a neighbor. This should have put me on notice that I was dealing with an unstable person. Blog entries are done often in a hurry, so a couple of typos shouldn’t be a concern, but if there is no attention to detail, you probably don’t have someone who can do the job.

* When it gets wacky, send them packing: About a month into the gig, my assistant asked me for a $1K loan. It was very premature for such a big request. I wouldn’t do it, and it really felt tacky to me.

* If other people in the house do something to the computer your assistant is working on, dump the assistant. It’s an indication that he doesn’t have a good, secure, workspace. If they don’t have a dedicated computer, they are not prepared to do the job.

* Agree on the kind of documentation of work that you want from the assistant, and tie it to pay. If you don’t get an invoice, they don’t get a check. I’d have weeks where I’d get these big bills, and didn’t know what was done for me.

* Take your time looking for an assistant. If you see anything that could jeopardize your assistant’s work getting done, then move on to someone else.

* If you see any problems during the interview process, like a missed call, move on. It’s a good sign that things won’t work out.

* Do not lock yourself into a long term contract. If it doesn’t work, have the flexibility to find someone else.

I’m making another bet on a VA. I know a lot of people that have had excellent results with a VA. I hope that my more cautious approach will make this engagement much more successful.

Oh, the roaches. After I finished with my virtual assistant, we had a problem with roaches in my house. A couple of months later, I opened up a package from the VA containing my CardScan. It also contained the bodies of about 10 roaches. Was it done on purpose? Honestly, I hope I’ll never know for sure.

Well, I took a look at your resume, and it’s great. You read and write Hebrew and Greek, we can really use that. The Founder wasn’t really into documentation, and we really need someone who could help us get some of his speeches down in writing. We’ve got one guy, Mark, whose just about ready to finish up something, and I hear another guy, Matthew is planning on doing some kind of revision.

I see you were referred by Paul? Did you know him when he was a cop? Yeah? I know he really has changed a lot since then. Seems a few years back, our Founder’s Son came down to recruit Paul into the organization. They had a brief talk, and Paul joined up. Changed his name and everything. We really had a lot of doubts about Paul at first, but he’s been one of our top performers, really working hard to penetrate new territiories and develop new markets for us. He’s started a number of User Groups, and he’s written some pretty good white papers for us too. We’re planning on adding Paul’s white papers to our user’s manual.

The first thing I want to tell you is that we are selling the perfect product. Everybody needs it, millions have been asking for it, and there are millions out there who need it, but don’t even know that they do. We really need to get out and push the messaging.

Let me tell you a little about ourselves. We’re an established start-up. We’ve been in business for about 5 years now. Our Founder’s Son started this territory, ran it for about three years, and then returned to Corporate. He’s still actively involved with us, in fact I recommend that you talk with him as much as you can. I’ve heard one of the things he’s working on now is a Sales Club for our top performers, and it’s going to be so incredible, that once you’re there, you’re never going to want to leave.

We had some independent agents do a little bit of publicity for us prior to starting the territory, but by in large, people weren’t getting the messaging. Corporate was getting very concerned about this. If we maintained the status quo, this territory would have just folded to the competition. So the Founder sent his Son down to see if we could change things for the better.

Immediately, the competition tried to do a friendly takeover, and was in discussions with the Founder’s Son. He turned them down, and went out and hired 12 inexperienced salespeople, and made them regional managers. We had some turnover, one of the regional managers later left after he leaked some priviledged information.

The regional managers did a pretty good job with the Founder’s Son’s help. The Son is a amazing public speaker, and he could do some amazing demos. He gave the ability to demo to the RM’s but to be honest with you, sometimes they just lacked the necessary confidence to to the demos as good as the Son. They are starting to get stronger with more experience and faith.

We brought on some more people, but now we are thinking about developing a multi-level marketing program. We’ve just found that our customers make the best salespeople.

I want to be straight with you. There are some bad things about this opportunity. . We have some major competition in our marketplace. We don’t hold marketshare right now. The market leader is a company called Darkside, Inc. They have some real slick marketing materials, and they are extremely aggressive in the market. They will say anything to make a sale. They don’t require a lot of committment, but once a customer has signed up, it can be very difficult to leave, even though Darkside has a very poor product satisfaction rating. The salespeople at Darkside just keep promising and promising, and their customers hope they deliver. Unfortunately, Darkside never delivers.

We did start a competitive trade-in program against Darkside about 20 years ago, and while we are not getting the response we’d like, we are extremely delighted even when we can get just one person to make the transistion. And I’ve never seen a customer who’s used our product correctly feel disappointed after coming from Darkside.

The converse is also true. Nothing makes us more upset than losing a customer to Darkside. Darkside promises everything to the customer, but when they sign up, they will find that the most important things are missing.

Also, there will be a lot of travel. The size of the territory is tremendous. You’ll be living on the road much of the time. We don’t have any cars or planes available at this time; you’ll be limited to foot travel and the occassional donkey ride. You can expense your sandels though, within reason.

We don’t have a lot in the way of technology either. No cell phones, no powerpoints, no laptops, no TV or radio marketing. We are expecting these things in future budgets, but right now, you’re going to have to rely on word of mouth, getting out in the field and pressing the flesh. The one technology that we do have is instant messaging with the Son and the Founder. If you need Him, He’s always available.

Ok, I’ve been beating around the bush. We’ve got a problem with regulations in some of the territories in which we operate. I’m sorry to say this, but our product has been determined to be illegal by the authorities in those territories. In some places, allthough we aren’t illegal, we’ve met such a hostile reaction from the locals, that we might as well be illicit. Some of reps and customers have been arrested, jailed, and even killed. You really need to consider the possibility of this happening to you and your people before you accept the position.

We’re not backing away. We feel that our product is so important, that we have to bring it out to the field, even if local governments feel differently. If we can penetrate some of the markets in these areas, we could overturn these laws barring our service.

You won’t be alone managing. After He left, the Son sent down one of His assistants to work in the field. You really should take advantage of this resource if you take the position. I’ve been told that working with the Assistant is like working with the Son himself. This assistant is very efficient, He seems to be working everywhere at the same time.

I know I’ve given you a lot to think about. Go home, talk it over with your wife, and get back to me. Here’s some of the Founder’s speeches to look at while your making the decision. We are going to add these to the User’s Manual. My personal favorite is the one he did at the Mountain some time back.

I felt pretty bad, and I know that this customer will more than likely will have to “take it on the chin” in order to realize that what I was offering them would have protected them. (I sell Internet security and Data Loss Prevention products.)

Then in church tonight, it dawned on me  how myopic my vision has been, and what this one deal had done to me over the past few months. I truly didn’t know what “the big deal” was.

Seems like everyone in my profession is a workaholic, or has the potential of being one.  And I stand before you guilty as charged.  But for the past 3 months, I took workaholism to the extreme.  I was working 12-18 hours a day, 7 days a week,  putting together pricing, presentations, and responding to my other customers. I didn’t take care of myself, I stopped working out.  I neglected my writing, my solutude, my education, and my spiritual life. And worst of all I lost contact with my friends, my boys, and my wife.

And eventhough I put in all this time, I didn’t get my work done to my satisfaction. My performance suffered, and I for the first time ever, I really started to hate being a salesperson. I wasn’t doing what I like to do,  which is calling on customers, and going to appointments.  My job had transitioned from salesperson to desk jockey.

I also love the technology, and wasn’t getting a chance to play with it. That’s how I learn, hands on, so I didn’t have the level of confidence speaking about my company’s technology that I usually have.

Honestly, I was thinking about my family, my church, and my education, when I worked all these hours. This was not about personal gain, but a chance to drop a few grand in the collection plate,  go on a nice vacation, and pay for my Master’s degree.  But in the course of all of this, I totally lost perspective. I forgot about all the other “big deals” in my life.

I forgot that

• God is THE big deal.
• My friends are a big deal.
• My health is a big deal.
• My education is a big deal.
• Rest is a big deal.
• Having fun is a big deal.
• My boys are a big deal.
• And my wife is a great, beautiful, loving, and special big deal.

And yes, my customers and my job are a big deal. But it’s not big enough to warrant excluding all the other big deals.

A salesperson’s job is like a black hole.  I find that I get sucked up in the hole every few months or so.  There are times when it is truly busy, but if I let it happen, “busy times” will be all the time.

I’m sure that I’ll get sucked into the black hole again, sometime, somewhere. But I do hope that by writing this,  I’m reinforcing the importance of all the other things in my life, and buying myself a little more time before I fall in the hole.

I hope that you’ll remember all the big deals in your life, and do your best to keep them all in balance.

If you’re reading this on Christmas, have a merry one.  If you’re not, then make it Christmas for those around you.

Cover of new Eminem book

My wife was nice enough to snag me a copy of the new Eminem autobiography, “The Way I Am”. From the size of the book, and the artistic cover, I thought that it would be a decent thing to look at while doing the jazz/coffee thang.
I was pleasantly surprised to find a somewhat short (=my attention span) story of hard work, creativity, perseverance, and insight.

I got more out of this read than I’ve gotten out of most of the “motivational” and “creative” how-to business books I’ve read this year.

I really appreciate that Mr. Matthers is honest about some of the mistakes he has made, and mentions that he still has some issues with anger management. The honesty added to the credibility of his story.

I used to do volunteer work with abused and neglected teens. With all the kids I worked with, Eminem’s lyrics struck a chord with them that I didn’t see with any other artist.  He had a similar upbringing to a lot of the kids that I work with, and he showed, by his example, a way to bust out of that life.

I’ll take motivation and inspiration from anywhere I can get it, and I certainly found it in this book.

I don’t know if I’d buy this if I wasn’t a fan of Mr. Matthers. The story is short, and you could probably finish it in a day or so. For the interested, non-fan, library’s probably a good choice on this one.

But if you leave this book around the house, it might become a way to sneak some positive values into a rebellious teen.

The politically correct and easily offended should stay away. This is not your book.

A good read, great artwork, a very nice gift for a fan.

These Speakers Rock

If you are out on the road and a music lover like I am, you’d probably find that any speakers on any device in a hotel lack the sound quality you want.  If you got your laptop along, then you should take a look at the TRITTON: Sound Bite, Portable USB Speakers. The get great sound, have a very small footprint, and plug right into your usb port. As added benefit is that they set up a separate music driver, so if you are using Skype or some other service, you can keep doing it while getting your groove on.

About the size of a hockey puck, the stereo tweeters sit fold up to look like Mikey Mouse with broken ears. I find that I’ve been using these more and more for business too, in conjuction with my Dell Mini and Dell MIni 109 Projector.
TRITTON Sound Bite, Portable USB Digital Speaker System

If you are a salesperson who needs to use Salesforce.com or SugarCRM on the road, then a Dell Mini will be a godsend. It’s small enough to avoid the “coach seat crush” and fit nicely on your plane’s tray table, and it has a very good battery life.

I went Windows. Much as I like Linux, (most of my servers are Linux), I chose to go with XP  because this is a work machine, and I don’t have to worry about working with my work applications.

The keyboard is nice sized. I had a bit of trouble touch-typing with it because some of the keys are smaller and placed in unique areas, but after a couple of weeks usage, I’m hitting the apostrophe key with my thumb,  and think I can type the longest of messages without adding an additional keyboard. When I do feel like  stretching out, I can always add a keyboard.

The Dell Mini is not without drawbacks, or rather the bloatware that we use every day isn’t optimal for the Mini. The memory and drive space on the Mini are limited through dell at 16 gigs of SD Drive space, and 1 gig of RAM.  Drive compression is on by default, something you’ll notice if you’re running Outlook. Good thing that Dell didn’t put Vista on this thing.

Dell ships the mini with a cdrom install disk, and the suggested way to do the restore is with a USB CD drive. They really should have put that stuff on a bootable USB drive.

This is the first time since EVDO modems that I can say a piece of technology is going to improve how a salesperson works.

I think a whole cottage industry could be built around making thinner and specialized apps for the Mini. I’d love to see a lightweight Outlook compatible app that worked on the desktop. Maybe with Google Gears or something