Question was asked: “Are we concerned with a decrease of privacy in the virtual space?”

September 28th, 2009

While privacy is an individual’s main responsibility it has to also be driven by clear policy and governance (due care and due diligence) on the side of the companies that have the information. Let’s say I’m going to bank at ABC bank and they do not have to have policy on how to handle my private information and accounts is irrational at best.

They are driven by profits and realize they have to keep it private to stay in business. To do this they create policy and put practices in place to keep my data private or they risk me going to another bank. The bigger issue is the “virtual space” controlled by governments. We are living in a time where the government (in the US specifically) is talking about the power to shut down the networks in case of a “catastrophic cyber event”. They are pushing a government owned healthcare plan and now own a few car companies as well.

Why does this matter concerning privacy in the virtual space? They are not in it to make money and therefore do not have the same concerns to protect your information. If it doesn’t benefit them they won’t do it. They are political in nature so privacy is a hindrance to them.

It is even more critical for us to remain vigilant with our personal data and information but cannot be too ignorant not to share it. We get great discounts at stores, faster service at the doctor, and faster feedback from friends and family because of facebook, twitter, LinkedIn, and many other social networking sites.

Citizens have to hold our government accountable to the fourth amendment of the constitution.  To borrow from an article written by by Jim Harper titled “Kerr Defends the Third-Party Doctrine” and posted at (http://www.cato-at-liberty.org/2008/05/31/kerr-defends-the-third-party-doctrine) he makes some scary observations:

“Incredibly deep reservoirs of information are constantly collected by third-party service providers today. Cellular telephone networks pinpoint customers’ locations throughout the day through the movement of their phones. Internet service providers maintain copies of huge swaths of the information that crosses their networks, tied to customer identifiers. Search engines maintain logs of searches that can be correlated to specific computers and usually the individuals that use them. Payment systems record each instance of commerce, and the time and place it occurred. The third-party doctrine exempts law enforcement from the Fourth Amendment’s reasonableness and warrant requirements when it looks at these records.”

I’m amazed how people can state their privacy is solely the responsibility of the individual. It is, to a point, but it is also important to make sure it continues to be covered in our Constitution. Politicians need to protect our best interests and not theirs. The courts struggle with this as well but it is clear that third parties and especially the federal government should not invade our personal space and have our data regardless of where it sits. It is a loophole in the fourth amendment.

The fourth amendment was written in a time when technology was rudimentary at best. Our home was our personal space. It had everything personal to include our money (banks were not very popular), our schools (public school didn’t exist), and most importantly our family (everyone lived close or with family). Per the Constitution the government does not have the right to our information other than to process taxes. They get to your private data through a third party and this is legal but citizens should be speaking up on this and demand appropriate privacy protections. This is a great question but needs to differentiate between virtual spaces and “government” involved virtual space.

We need a “privacy” advocate in our federal government who will help establish policy and governance across the spectrum and help private industry with compliance so they can continue to make money and keep our data secure and as private as we want it to be. It is our information and we, the citizen, should have ultimate say in how it is used or who is using or viewing it. Privacy is so critical to the future of technology and how the world will only get smaller not bigger. Our data has gone global and is being used in scary ways by foreign government and corporate companies as well.

Third party doctrine, privacy with health care, and “Mr. President, is it a tax?”

September 21st, 2009

If we are going to discuss security and privacy we should also discuss how the government is going to verify everyone has insurance, they are paying thier “fair share”, and are punished if they do not. This weekend we were inundated by our President on every major news channel (almost every news channel) how this health care plan is “not perfect” but we have to do something. He was challenged time and again how do we pay for this. Is he creating a new tax on those mandated to carry insurance? 

Per the Constitution of the United States the government functions via the collection of taxes. This is straight out of the Constitution so if they are going to implement a government health care plan that is OWNED and OPERATED by the government then they have to collect a “tax” to pay for it.

For the federal government to make every citizen “have to have” medical insurance regardless if they want it is putting a new tax on them. They are going to be paying a fee to someone to comply with the new law that they didn’t have to pay yesterday. Is it a tax?

 What grinds me as a business owner is that it will affect our under age 30 employees the harshest. We don’t make a teenager pay for auto insurance before they are eligible to drive. Please don’t tell the insurance companies or the government this as they may start doing it. Let’s start collecting insurance from newborns then when they are 16 and able to drive we will have the funding to keep insuring the uninsured. The government is trying to pitch the same idea for medical insurance.

Please hear me out on this… 

This new Health Care Plan is the same thing. They haven’t addressed how they are going to secure the data, keep it private per the 4th amendment, and keep it out of government ownership. The government does not have the right to our personal data, to keep it, use it, or study it, other then to identify us to show how much “tax” we owe. It’s a lot less complicated then people are making this.  

Why should we ask a young 22 year old single person to carry insurance they do not need or want? They exercise regularly, eat well, have not developed any conditions, and most get a physical on a regular basis. Why should we impose these costs on those working hardest for every penny they earn? Most under 30’s are in the early earning years as it is and don’t need the government “taxing” them and mandating them to carry insurance. A lot of people choose not to drive or become a pilot and they are not required to carry insurance. 

I’m reviewing documents every day on your privacy and working with numerous customers to build secure systems and networks. To have the government establish “mandatory” medical is going to create a new system that will need to be built. While the Health and Human Services agency Office of Civil Rights was created to make sure there was compliance with Health Insurance Portability and Accountability Act (HIPAA) it doesn’t protect the data. The OCR is responsible for making sure providers are adhering to Federal privacy requirements under the HIPAA.

What does this mean?

It has little to do with the private citizen because the policy and the law do not protect your data. They tell the third party to protect your data and then the government can take this data from the third party.

Let’s unpack this concept a little more:

The government is going to pass a law to mandate medical insurance be purchased by every citizen. Per the forth amendment you are protected from unlawful search and seizure. How would they know whether you had it or not if per the constitution they are not allowed to dive into your personnal space? (ie: data) They get around this because of court decisions over the years. One was the United States v. Jacobsen, 466 U.S. 109 (1984): “This Court has … consistently construed this protection as proscribing only governmental action; it is wholly inapplicable to a search or seizure, even an unreasonable one, effected by a private individual not acting as an agent of the Government or with the participation or knowledge of any governmental official.”

If the above is true then we can assume what is called “third-party doctrine” is true as well.  

Third party doctrine is the legal principle where, in effect, you lose your Fourth Amendment rights when you relinquish information to a third party. This is very real and the government uses it all the time to get information out of companies. Watch how they will get data from the banks, insurance companies, and medical facilities.

The government will pass the health care bill into law which will in turn force agencies to deny coverage to people who do not purchase insurance. You will not be able to walk into an emergency room, doctor’s office, or medical facility and receive care without stating you will pay them back or sign your life away.

Summary:

I’m only asking that people think about your security, your personal data, your privacy and think long and hard what you want the government to know about you. We are spending billions upon billions (in some cases Trillions) to force regulation so the government controls and owns everything. This is not constitutional and it is a “tax”; a huge tax that will now impact everyone.

Who today is denied service if they go into an emergency room? No one in the United States! It’s your data and you need to be aware that the only way the government is going to make this work is to have you sign your rights away so they can “protect” you from yourself.

News Release – Privacy and Security Controls related to Healthcare (H.R.3200)

September 17th, 2009

Wash., DC, Sept. 18 —  “Because none of the health care reform legislation being offered by the White House or the U. S. Senate or the House of Representatives contains adequate provisions for assuring privacy and proper security controls for people’s health care records, it is essential that this grave concern be immediately addressed,” says SecurityCAFÉ Founder and President Shawn E. Anderson, PMP. 

“The unintended consequences of errors of omission currently being committed in haste are sure to have far-reaching harmful impact on millions of Americans,” the 20-year computer security expert explained to delegates attending the Values Voters Summit at the Omni Shoreham Hotel in Washington.

“Unrestricted access to people’s private health records represents a dire risk to their privacy and makes potential misuse certain,” Anderson says.  “Our lawmakers must be held accountable for invasions of privacy of any system they intend to impose on unsuspecting millions of Americans.  Right now, all of the health care reform proposals being offered contain ample potential for major abuse, manipulation and exploitation.” 

The computer security consultant calls records security the “Achilles Heel” of current health care reform proposals, urging immediate attention incorporating substantive protections.” He says “It is essential to anticipate and to prepare for an unfathomable volume of sensitive medical data.   Implementation of effective safeguards is imperative.” 

SecurityCAFE’s three-pronged computer specialty is in relating people, policy, process and technology to the functions of assurance, forensics and engineering.  Its internet website is  www.SecurityCAFE.com  Anderson may be reached by telephoning  571/216-6410 or e-mailing  Info@SecurityCAFE.com

Security Organizations

February 12th, 2009

How does an organization build their security organization?

This is a question for the ages. I’ve been in the Law Enforcement and Security world for close to 20 years and it amazes me the fractured state of security even today. Most organizations are still living in the dark ages and have separate groups working physical security, IT security, and personal security. This is not a good business practice because everything used is not technology based and the same skills often roll out of IT into the other areas.

When was the last time we used an actual VCR for taping security camaras?

Most camaras today are fed to a computer with a huge harddrive for archiving and later review. What about the increased use of smart cards and biometrics? This information should be coodinated with the IT systems so organizations can monitor access controls with where things occur. It would make more sense to have the badging system that is fed to a traditional physical security system monitored by the Operations Center as well so we can monitor who is where and when. Organizations can also limit access to IT systems if their employees are not badged into the building. These systems tied into biometric systems would allow for better compliance with federal mandates and policies. 

We should get out of the dark ages and work harder to combine security into one organization. There should be one Chief Security Officer who has direct reports from both the IT and the Physical security teams. They should be consolidated into one Operations Analysis Center (OAC) with a combined Security and Network Operations Center. Then have appropriate desk officers for different areas of the business whether it be geographical location or differing business practice. This OAC would monitor the networks for access control and provide metrics to the leadership on a regular basis to show access to data not systems. Monitoring the system is only going to help protect the perimeter but what about the data itself for privacy breaches and malicious insider threats? 

We can work to provide better solutions as a team rather then as fractured groups trying to slap each other to get ahead. Not a sermon…just my thoughts! 

CyberSecurity – huh???

February 11th, 2009

This blog was created because I’m discouraged at how privacy and data protection are being treated in general by companies, our government, and the international community as a whole. They say we need to focus more on cyber security but what is Cyber Security anyway? How do you secure something that is “cyber” meaning everywhere in the ‘bit stream’?

It would nice if companies and our government would start focusing on the data and not the pipeline. We sit in our cars on the freeway every day and while they are maintained the real value is the passenger inside the cars. That is where the important information sits. Those cars have our doctors, lawyers, police officers, fireman, the mailman, and the guy who pours our coffee every day. I’ve held many positions in security over the years, from Security Engineer to Chief Information Security Officer. Every organization I go into it is a very similar story.

How do we protect the network?

Most organization do not really have a clue what is riding on the network so they spend millions and millions to protect everything. We need to start focusing on the basics so we can spend this money a more wisely with lest fraud, waste, and abuse. 

1.       What is the baseline – What data do we have and how important is that data. If it’s not critical or life saving then who cares how we protect it. Either way we need a baseline of the data

2.      Implement strong policy and hold people accountable. If someone commits murder we don’t prosecute the gun manufacturer or the car company. We focus on the person that committed the offense. Stop going after the networking personnel because they didn’t build a security capability to stop “Bob” in finance from going to a porn site or losing his external harddrive because he kept taking it home every night.

3.      Train, train, train them. We don’t let people drive without taking a class so why do we let people drive on our networks without taking training?

4.      Document your system and the changes you make to that system.

5.      Finally monitor the environment. Make sure the software is up to date, patches are put in place, and that people are accessing the data they are supposed to be accessing.This is about holistic security. Make sure the employees are badging into the building and then appropriately accessing what they need to in order to do their jobs. Data protection is digital but it is still the same data we dealt with 50 years ago. It sits in cabinets, on computers, desks, and is spoken in the hallways of buildings.

How do we secure this and what is the importance of privacy and governance as a whole if we don’t’ know what it is we are spending the money on?