The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.
In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.
Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.
What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?
Some factors they considered in computing the cost of the breach included:
- Direct costs - communications costs, investigations and forensics costs and legal costs
- Indirect costs - lost business, public relations, and new customer acquisition costs
The report also lists a number of causes for the data breaches, such as:
- 82% of all breaches involved organizations that had experienced more than one data breach
- 42% of all breaches studied involved errors made by a third party
- 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
- 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf
Thoughts and comments welcomed…r/Chuck
I don’t usually plug any specific software, but I felt compelled to tell you about something I have been working with Microsoft on for about the last eight months–it’s called the Fusion Core Solution (FCS). What’s different about this project is that FCS isn’t just another application, it is an effort by Microsoft to help fusion centers do more with the many applications they currently own or have plans to invest in. First a bit of background.
Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going. At their core, I believe a fusion center is responsible for doing three basic things:
- Accepting and vetting reports of unusual behavior (criminal or terrorism related);
- Providing intelligence support to major case and tactical law enforcement operations; and
- Proactively supporting federal, state, and local homeland security and community safety objectives.
To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.
Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution. Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above. The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.
At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:
- Provides a common look and feel across multiple analytic tools and business processes.
- Greatly reduces the number of user names and passwords analyst must remember.
- Organizes requests for fusion center services, and tracks progress of fusion center work.
- Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
- Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
- Helps to keep track of fusion center and extended staff capabilities and availability.
From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.
In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.
For more info, check out the Fusion Core Solution website, or email me.
Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution
If you’re like most folks, you stopped reading the “fine print” terms and conditions on free online appliactions like Google Apps, Windows Live, Zoho, and MySpace. I did too, until today. I caught an article on NetworkWorld.com today entitled “Privacy groups rip Google’s targeted advertising plan” that described how privacy advocates are concerned about Google’s foray into the world of behavioral targeting in its DoubleClick advertising business. So, that got me curious…what can Google (and others) do with your personal data, files, etc?
I did a quick check of four online appliactions that I use–Zoho, Windows Live, MySpace and Google Apps–here’s what I found.
- Windows Live had a different twist:
“Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a “Submission” and collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting (“Posting”) your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services.”
- MySpace pretty much mirrors Microsoft’s terms:
“After posting your Content to the MySpace Services, you continue to retain any such rights that you may have in your Content, subject to the limited license herein. By displaying or publishing (“posting”) any Content on or through the MySpace Services, you hereby grant to MySpace a limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and distribute such Content solely on or through the MySpace Services, including without limitation distributing part or all of the MySpace Website in any media formats and through any media channels, except Content marked “private” will not be distributed outside the MySpace Website.”
So, what’s the moral to this story? Three things…
- Take the time to read the fine print; make yourself and others aware of the privacy and terms of service conditions for these and other (free or fee-based) online appliacations;
- If your federal, state or law enforcement agency, fusion center, or other government agency are using any of these services, make sure you have written policies about what can and cannot be posted, stored, or shared through these services; and
- Assume anything you do post or share will a) make its way outside of the United States and b) reused in some way for marketing or advertising purposes.
Play it safe; don’t assume your information posted to these services will remain private. Remember, once out, that privacy genie will be nearly impossible to get back in the bottle.
As always, your thoughts and comments are welcomed…r/Chuck
Time Magazine just released “Fusion Centers: Giving Cops Too Much Information?” – another article in a long line of articles and papers published over the last few years by many organizations describing how fusion centers are a threat to our personal privacy. In the article, they quote the ACLU as saying that
“The lack of proper legal limits on the new fusion centers not only threatens to undermine fundamental American values, but also threatens to turn them into wasteful and misdirected bureaucracies that, like our federal security agencies before 9/11, won’t succeed in their ultimate mission of stopping terrorism and other crime”
While I disagree with their assertion that “legal limits” are the answer (we already have lots of laws governing the protection of personal privacy and civil liberties), I do think that more can be done by fusion center directors to prove to groups such as the ACLU that they are in-fact operating in a lawful and proper manner.
To help a fusion center director determine their level of lawful operation, I’ve prepared the following ten question quiz. This quiz is meant to be criterion based, meaning that ALL ten questions must be answered “yes” to pass the test; any “no” answer puts that fusion center at risk for criticism or legal action.
Fusion Center Privacy and Security Quiz
- Is every fusion center analyst and officer instructed to comply with that fusion center’s documented policy regarding what information can and cannot be collected, stored, and shared with other agencies?
- Does the fusion center employ a documented process to establish validated requirements for intelligence collection operations, based on documented public safety concerns?
- Does the fusion center document specific criminal predicate for every piece of intelligence information it collects and retains from open source, confidential informant, or public venues?
- Is collected intelligence marked to indicate source and content reliability of that information?
- Is all collected intelligence retained in a centralized system with robust capabilities for enforcing federal, state or municipal intelligence retention policies?
- Does that same system provide the means to control and document all disseminations of collected intelligence (electronic, voice, paper, fax, etc.)?
- Does the fusion center regularly review retained intelligence with the purpose of documenting reasons for continued retention or purging of outdated or unnecessary intelligence (as appropriate) per standing retention policies?
- Does the fusion center director provide hands-on executive oversight of the intelligence review process, to include establishment of approved intelligence retention criteria?
- Are there formally documented, and enforced consequences for any analyst or officer that violates standing fusion center intelligence collection or dissemination policies?
- Finally, does the fusion center Director actively promote transparency of its lawful operations to external stakeholders, privacy advocates, and community leaders?
Together, these ten points form a nice set of “Factors for Transparency” that any fusion center director can use to proactively demonstrate to groups like the ACLU that they are operating their fusion center in a lawful and proper manner.
As always, your thoughts and comments are welcomed…r/Chuck
Have you noticed a lull in the amount of spam your agency has been seeing? I did for a while. Well, a recent article by Government Computer News may explain what is happening.
In a March 5, 2009 article entitled “Spammers retool for a renewed assault” they lay out a very scary explanation for the recent drop in spam and paint a not so comfortable description about what spammers are planning–here’s a quote:
“The bot masters are trying to build their botnets back up,” Masiello said. “There is a lot of variance even on a daily basis on how much spam is being sent and received…they are likely going to be used for ID theft, mostly,” Masiello said. But the data also could be used to tailor fraudulent e-mails that could be convincing enough to entice even wary recipients to visit malicious Web sites or download malicious code.”
While spammers will continue to react and adapt to whatever tecnical means we have to prevent their attacks from harming our systems and data, there are three simple and very effective things you can do to thwart these evil doers:
- SPAM/VIRUS SCANNING TOOLS: This is your agency’s first line of defense against spam-initiated virus, spyware, and trojan attacks. While it’s hard to find an agency that is not using virus and spam scanning tools, periodically check to a) make sure your users have not turned off those tools, and b) that their tool definitions are up to date. On the network side, make sure your enterprise scanning tools are configured for maximum protection and that definitions are kept up to date with current spammer tactics.
- PERSONAL REMINDERS: You hear it all the time, 80-90% of information security issues are because of what “people” do (or fail to do). And, I hope you’re not counting on your agency’s annual IT security training to get them to protect themselves and your systems. An old adage frommy Navy training days used to say “if you want them to listen, you gotta tell’em seven times, in seven different ways.” This continues to be good advice. You are going to have to continually remind users to not open any attachments or click on any links in emails from people they do not know. Some ways include: a short email to all your users once every 30-45 days and include an example of a targeted spam email; place a note in agency newsletters; or have leadership mention it at stand-ups/watch turnover.
- OUTBOUND SCANNING AND IP BLOCKING: While most agencies are filtering inbound spam email and IP addresses, i’d guess that many of them are NOT doing the same on OUTBOUND emails and IP addresses. A good layered defense takes into account the chance that something may get past your inbound scanners. It’s a good practice to also scan and filter OUTBOUND emails and IP connections to make sure that trojan isn’t “calling home”; there are a number of websites out there to help you set this up.
As always, your thoughts and comments are welcomed…r/Chuck
The IJIS Institute announces the appointment of Chuck Georgo, founder of NOWHERETOHIDE.ORG, as the Chairperson of the IJIS Institute’s Security and Privacy Advisory Committee.
The purpose of the IJIS Institute’s Security and Privacy Advisory Committee is to provide advice and counsel to the Department of Justice’s Office of Justice Programs (OJP), as well as other national organizations, on issues of information system security and privacy as applied to integrated justice and public safety information systems, and to develop materials and seminars to educate industry and government staffs on security and privacy measures, designs, and related issues.
The Security and Privacy Advisory Committee strives to be vendor agnostic in all activities and work products and to be the authoritative source for establishing effective privacy and security measures throughout the justice, public safety, and homeland security information sharing community. Additionally, the committee’s goals include increasing government and industry awareness and understanding of technical and non-technical privacy and security requirements and improving the privacy and security posture for federal, state, local, and tribal justice information sharing efforts. In order to achieve these goals, the committee performs research, issues white papers, develops and conducts training, participates in advisory working groups, and supports technical assistance projects.
Chuck Georgo, regarding his appointment, noted that, “Successful information sharing requires trust. I believe that to get trust you need two things—honorable motive and reliability. Organizations must know that your motives benefit the social good and that your means to protect shared information from compromise is achievable and durable. While honorable motive is in the hands of law enforcement and justice agency executives, I believe that the IJIS Institute, through the Security and Privacy Advisory Committee, can help government and industry to employ effective ways for achieving the reliable means to protect that information. I look forward to working with my fellow committee members to further advance the cause of information sharing through robust security and privacy principles and practices.”
Chuck Georgo has nearly 28 years of experience in intelligence, national security, defense, and law enforcement arenas. He has served as a strategic planner, business analyst, and technologist supporting the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, and many other public and private sector organizations.
# # #
About the IJIS Institute — The IJIS Institute serves as the voice of industry by uniting the private and public sectors to improve mission critical information sharing for those who protect and serve our communities. The IJIS Institute provides training, technical assistance, national scope issue management and program management services to help government fully realize the power of information sharing. Founded in 2001 as a 501(c)(3) non-profit corporation with national headquarters on the George Washington University Virginia Campus in Ashburn, Virginia, the IJIS Institute has grown to more than 240 member and affiliate companies across the United States. For more information visit www.IJIS.org.
About NOWHERETOHIDE.ORG – NOWHERETOHIDE.ORG, LLC, was established to help federal, state, and local law enforcement, justice, and homeland security agencies to better achieve their public safety and national security objectives. As our name implies, we want to help these agencies become so effective that criminal elements have nowhere-to-hide from justice. We offer planning, assessment, and technology consulting services to help law enforcement, justice, and national security agencies identify and resolve the issues that currently stand in the way of achieving high performance standards. For more information visit www.nowheretohide.org.
Doris Girgis | Communications Specialist | IJIS Institute | Ph: 703.726.1096 | www.ijis.org
Realize the power of information.
Support the IJIS Institute by ordering your gifts from one of 700 stores on the iGive portal and selecting the IJIS Institute as your organization of choice.
January 6, 2009