WERE LAW FIRMS THE FIRST TO DISCOVER THE POWER (AND PITFALLS) OF METADATA?

Thanks to the NSA leaks, metadata has become a mainstream topic of conversation. Many of the less technically inclined are trying to make sense of it all. TV is not necessarily my go-to educational source for exploring new tech topics–I’m more of a Gigaom and, I confess, a Life Hacker person— but I then stumbled upon The Good Wife. It’s a show about law firms that, unlike most TV shows and movies, happens to get the technical details right. In one episode, the partners in the mythical Lockhart Gartner (LG) law firm display a deep understanding of the difference between metadata and the actual data content it describes. I was somewhat surprised by these geeky lawyers, but as I later learned, the legal sector has a reasonable claim to make for being early adopters of metadata technology.

In this latest season’s first episode, the partners have suspected the firm’s 4th year associates are recruiting clients in a bid to launch their own firm, so they examine the associates’ cell phone records—the metadata—and then take the additional step of looking at SMS text—the actual data. I present the following transcript as evidence:

• Alicia: What’s wrong?
• David: We looked into the company’s phones. Over the past month, the fourth-year associates have called our top clients a dozen times each.
• Diane: We’re worried they’re thinking of leaving with them. Do you have any insight?
• Alicia: No.
• Will: We called the clients, but they’re being tightlipped, said they have no plans of leaving at the present time.
• David: Which is known as “preserving their options.” I say we move past metadata and access their texts.
• Diane: Can we do that?
• David: Yes, we can do that. They’re our phones. We own the texts.

As a legal matter, employers can look at employees’ text messages sent on a corporate phone—it’s essentially company property, just like email.  And you should check out our post on confidential company information for some finer points on intellectual property in a work context.

The more important concept is that LG’s partners understand that by looking at phone numbers, along with call dates and times of calls (i.e., the metadata), they can make very informed guesses about what their employees are doing—stealing clients in this case.

How did the show’s attorneys get to be so savvy about the power of metadata to make inferences?

Here again The Good Wife plays it close to real life. In doing my own research and examining some back issues of ancient legal tech magazines–thanks Andy!—I think I’ve found the source of lawyers’ metadata precociousness.

Lawyers were early and heavy users of Microsoft Word and were quick to realize the promise of the metadata stored in text documents by this new word processing software. It turns out that extended file metadata has been a known feature of Microsoft Word since the late 1990s and beloved by attorneys who worked in collaborative environments.

Beyond a Word doc, since any electronically stored information contains at least some metadata, lawyers quickly learned how to leverage it in the course of e-discovery during litigation. E-Discovery tools, which used metadata to categorize legal documents, enabled law firms to quickly collect, process and analyze electronic evidence.

Metadata also had a perilous side.

Law firms learned, sometimes by accident, that metadata can reveal information about internal legal operations. When a partner assures a client that he’d personally draft a contract and then passes the work to a very capable first year associate for the initial draft, he assumes this tiny legal white lie would go undetected.  But clients began to discover the truth when they looked at the metadata in Microsoft Word’s properties fields to find the first year associate’s name instead of the partner’s as the author. Moreover, partner rates billed just might magnify an already embarrassing situation.  As a result, law firms started buying metadata scrubbing software as way to close leaks.

It appears that law firms, even mythical ones such as LG, have already been using and managing metadata. However, if tech savvy law firms and The Good Wife writers want to take their metadata knowledge up a notch and look into the world of human generated big data, they just might discover an added layer of protection, management and even actionable intelligence.

Thanks to http://www.varonis.com

Brilliant idea from an American kid

As a Florida native, 11-year-old Peyton Robertson knows the havoc that hurricanes can wreak. He also knows that much of the damage from these hurricanes comes from saltwater flooding. After seeing the extensive flooding that happened during Hurricane Sandy, he came up with a partial solution: a lightweight sand-less sandbag that’s purportedly more effective than traditional sandbags. His idea recently won the $25,000 Discovery Education 3M Young Scientist Challenge, which crowned Robertson as “America’s Top Young Scientist.”

more can be seen at http://www.fastcoexist.com/3020697/this-brilliant-kid-invented-a-sand-less-sandbag-for-the-next-hurricane-sandy

Speed Summary: McKinsey’s 12 Disruptive Technologies Changing the World

12 disruptive technologies that will transform life, business, and the global economy

1. Mobile Internet: Increasingly inexpensive and capable mobile computing devices and Internet connectivity will transform the $1.7 trillion Internet economy, and bring 2-3 billion more people online
2. Automation of knowledge work: Intelligent software systems that can perform knowledge work tasks involving unstructured commands and subtle judgments, impacting on the 230+ million knowledge workers with a $-7 trillion economic impact
3. The Internet of Things:Networks of low-cost sensors and actuators for data collection, monitoring, decision making, and process optimisation that make up the 100 million 100 million global machine to machine (M2M) device connections
4. Cloud Technology: Use of computer hardware and software resources delivered over a network or the Internet, often as a service – renting in the cloud costs 1/3 of earning a server
5. Advanced robotics: Increasingly capable robots with enhanced senses, dexterity, and intelligence used to automate tasks or augment humans – and cost-effective too; the new Baxter industrial robot costs 75–85% less than a typical industrial robot
6. Autonomous and near-autonomous vehicles: Vehicles that can navigate and operate with reduced or no human intervention – potentially saving 1.5 million driver-caused deaths: Google’s autonomous cars have driven over 300K miles with only 1 (human-cased) accident
7. Next-generation genomics: Fast, low-cost gene sequencing, advanced big data analytics, and synthetic biology (“writing” DNA): sequencing speed (per dollar) doubles every 10 months
8. Energy storage: Devices or systems that store energy for later use, including batteries – electric vehicles batteries have dropped 40% in cost since 2009
9. 3D printing: Additive manufacturing techniques to create objects by printing layers of material based on digital models – prices for home 3D printers have dropped 90% vs. 4 years ago
10. Advanced materials: Materials designed to have superior characteristics (e.g., strength, weight, conductivity) or functionality – $1,000 vs. $50 materials Difference in price of 1 gram of nanotubes over 10 years
11. Advanced oil and gas exploration and recovery: Exploration and recovery techniques that make extraction of unconventional oil and gas economical – fracking and horizontal drilling are set to increase US oild production 100-200% by 2025 – already there’s 3x increase in efficiency of US gas wells since 2007, 2x Increase in efficiency of US oil wells
12. Renewable energy: Generation of electricity from renewable sources with reduced harmful climate impact will account for 16% of global electricity generation by 2025 (85% Lower price for a solar photovoltaic cell per watt since 2000)

Thanks to http://digitalinnovationtoday.com/speed-summary-mckinseys-12-disruptive-technologies-changing-the-world/

 

Government’s New Mobile Code of Conduct: PIIs Get Noticed

You know those short notices that pop up right before you install a mobile app? That’s the splash screen that provides some information about what functions are being accessed and, in general terms, what information is being collected from users. After studying this matter for about a year and getting input from the usual stakeholders (industry, privacy groups), the US Department of Commerce  just issuedvoluntary guidelines covering the information app publishers should include in these notices. While this code of conductwill not satisfy everyone, it’s clear that personally identifiable information or PII will now be getting higher billing.

If you install an app on your Android or iPhone, you might be told the software will “Read contact data, read your profile data” and perhaps that it has access to “fine GPS location”.  At least that is what the mobile version of Twitter informed me, right before I decided against using it. But if an app publisher were to follow the new Commerce Department guidelines, they would need to explicitly state the PIIs and user content being collected from the following set:

• Biometrics (information about your body, including fingerprints, facial recognition, signatures and/or voiceprint.)
• Browser History(a list of websites visited)
• Phone or Text Log (a list of the calls or texts made or received.)
• Contacts (including list of contacts, social networking connections or their rphone numbers, postal, email and text addresses)
• Financial Info (includes credit, bank and consumer-specific financial  information such as transaction data.)
• Health, Medical or Therapy Info (including health claims and other information used to measure health or wellness.)
• Location (precise past or current location of where a user has gone.)
• User Files (files stored on the device that contain your content, such as calendar, photos, text, or video.)

We have had previous clues from other agencies, but it’s becoming more likely that the US regulators will be taking a more expansive view of PII in the coming years. The inclusion of biometrics, browser history, and geo-location means that quasi-identifiers are now on equal footing with traditional or classic PII—phone number, name and financial data.

If you’ve been following our HIPAA posts, this list shouldn’t be too surprising. The healthcare sector has had to deal with a far longer list in the form of the Safe Harbor rule, which includes most of the above items and quasi-identifiers for a grand total of 18 PII (or PHI as it’s referred to in HIPAA). Hospitals and other health networks have additional obligations, of course, to protect these medical PIIs through a series of mandated data security and privacy controls.

Unlike healthcare and financial companies, the Internet economy has mostly escaped—if you exclude COPPA—US data regulations. In other words, under the current model, even with these new guidelines, mobile app makers have no legal requirements to protect private consumer data. They would likely want to for obvious business reasons, and you can read the specific terms of service of your favorite mobile software to see what they’ll try to do.

Where is all this heading? A “Consumer Privacy Bill of Rights” has been talked about in Washington for years.  And you can read the latest iteration of this policy idea here. Even if a comprehensive data privacy law covering all companies doesn’t become law, regulators will be enforcing existing rules more tightly and consumer expectations for data security, especially in light of recent events, will only head upwards.

For organizations that want to stay ahead of the consumer data privacy curve, the above PII list from the Commerce Department is actually a good starting point: can your IT department guarantee that this small list of identifiers are secured from hackers and protected against unauthorized use?

Criminal Minds: Thinking Like a Hacker Makes Good Data Governance Sense

What can you learn from reading the exploits of the most successful hacking ring ever brought to justice? Last week, the US Attorney’s Office in NJ unsealed their indictment against a mostly Russian—one American co-conspirator was also named—gang of cyber-criminals who are alleged to have snatched over 160 million credit card numbers resulting in more than $300 million in losses over seven years. In scanning through the indictment, I was left with the strong impression that this group had a rock-solid business model, excelled at executing on their plans, and was actually good at following IT security principles—better than their victims.

According to the government’s investigation—based heavily on chat sessions between the hacking principals—stolen credit card numbers were sold through wholesale networks: US numbers would go for $10, Canadian for $15, and European for $50. The hacking gang, which the government more accurately referred to as an organization, would offer bulk discounts—i.e., corporate payment schedules. The distribution network would then resell stolen data through their channels to end users.

By the way, this hacking organization did not take credit card payments for their services—just bank wire transfers and Western Union.  Good move, on their part, because, don’t you know, credit card numbers are vulnerable to theft.

Their hack craft was a little more advanced than the common cyber thief’s. They relied heavily on SQL injection attacks to break into websites, rather than brute force password guessing. The retailer, banking, and credit card company victims validate yet again the stats from Verizon’s Data Breach Investigations Report on the most heavily hacked sectors. In a few cases, the hackers chose retailers based on the type of point of sale or POS equipment, because they could install specially configured software sniffers to vacuum up unencrypted card numbers.  And yet again, these mostly food and clothing retailers were PCI compliant.

After breaking in, the hackers then had the more complex problem of where to find the credit card number and other personal identifying data. In hack terminology, this is known as post exploitation.

To get a better understanding of post-exploitation methodology, you’ll need go over to the dark, or at least the gray, side. So I decided to take a look through the archives of Defcon—“the world’s longest running and largest underground hacking conference.”

I came across a good presentation on this subject written by two penetration testers (or pen testers as it’s known in the business). They note that the job of the hacker is to “hide in plain site”, and in bold red font on one of their slides is the command, “Don’t be an anomaly”.  Another slide points out that getting root access is not necessarily a desirable goal for a hacker because it’s also a user-level that is most likely audited.

This is generally solid advice, but of course the hackers can’t know ahead of time the long-term average behaviors of users, and there is, ahem, software that can spot atypical file access patterns.

Anyway, the two pen testers suggest you come in as ordinary user and selectively hijack credential and sessions. So which user should a hacker pick? Their overall advice is to “know the target environment”, then learn “who has access to what”, and find out “where is the data.”

Hmmm, where have I seen these words before? Obviously, this is core IT data governance wisdom that every sys admin should be applying in their daily work. It’s perhaps a bit counter-intuitive that we have pen testers to thank for making a solid governance case in a presentation on post-exploitation techniques. But in the upside-down world of hacking, it’s the cyber thieves who are doing a better job than the targeted companies at seeing the value in the data and applying good IT practices.

I have—and you should as well—little patience for those who want to scrimp on data governance as part of a security mitigation program. Ultimately, you want to be better than a cyber-gang at really knowing your data.

(By the way, Defcon 21 starts up this week in Las Vegas, and there’ll be more papers presented on post exploitation.)

Chris Anderson on New Areas for Big Data Analytics (Video)

Chris Anderson, CEO of 3D Robotics and former editor in chief of Wired on Quantified Self and the Internet of Things (GE’s “Industrial Internet”) as two new areas for big data analytics. Anderson: “Our ability to collect data is way ahead of our ability to make sense of it.”

Thanks to http://whatsthebigdata.com/

Meanwhile Back at the EU: Privacy Showdown over Cookies and Opt-in

Posted on July 17, 2013 by Andy Green

Let’s first get caught up on the status of the EU Commission’s proposed changes to the Data Protection Directive or DPD.  At the beginning of July, an important committee vote in the EU Parliament was delayed till September, at the earliest. This has been the third delay of a vote to bring the new regulations—which include The Right to Be Forgotten and tougher rules on data retention limits—to the full Parliament. US social media companies, who have not been shy about expressing their objections to the new regulations, should not declare victory just yet.

In a TV interview this week, German Chancellor Angela Merkel called for Europe to stand together on data protection regulations and to move towards “harmonized” rules across all countries. This is, of course, a reference to the stalled data protection regulations, which would ultimately bring a single set of rules and consistent enforcement to the EU zone. Currently, each of the 28 member nations has their own data protection authorities along with slightly different laws based on the common DPD.

After the interview, Merkel was the recipient of a shout-out from Viviene Reding, the EU’s justice commissioner and an important proponent of the new  regulation, who welcomed the Chancellor’s remarks.

The new data regulations can use all the help it gets: if they are not voted on before the EU Parliament elections in 2014, they may have to be scrapped and the process restarted. The public announcement from Merkel, though, may be just the push the  need to become a European-wide law.

But US social media players—one in particular—are finding that the existing DPD still has some bite. Last month, separate data protection authorities in France and Spain wrote letters to Google demanding it provide more explicit information on its omnibus terms of service to users and to obtain consent before storing cookies. Google was given a deadline of a few months to comply.

Similar notices were also recently sent to Google by data authorities in Germany, Italy, and the UK.

These separate national regulators are basing their demands on a key concept embedded in the core Data Protection Directive: consumers own their data and companies, as “data controllers”, need their consent to process the data when it’s used outside of essential business functions.  The EU battle over opt-in and cookies—E-Privacy Directive—has actually has been brewing for some time, but it was Google’s bold move early last year to consolidate all its separate ToS into a single document that pushed the regulators’ buttons.

I’m not sure what will be the fate of The Right to Be Forgotten and other stricter rules in the pending regulations.

But as for the data ownership philosophy expressed in the current laws? I think the EU will be standing firm and US companies should pay attention.

 

For Better IT Security, Uncle Sam Wants You to Monitor

Remember when the President signed the Critical Infrastructure Executive Order a few months ago? Essentially, the order directed the federal government to focus its considerable resources on cybersecurity threats to our core oil, electric, and transportation systems. It turns out that a good part of the government’s program involves sharing both classified threat information and technical advice with owners and operators of critical infrastructure.

On that latter point, the US’s leading technical and scientific standards organization, NIST, recently rolled out an update to its long-standing security standards guidelines for federal agencies. Motivated by the executive order, NIST has asked agencies and critical infrastructure players to consider, what it calls, a “Build It Right” approach to data security.

Befitting a government document on cybersecurity, NIST’s Security and Privacy Controls for Federal Information Systems and Organizations is over 400 pages and covers 18 basic security controls, each coded with a two-letter identifier—from Access Controls (AC) to Program Management (PM). Anyway, if I can summarize NIST’s “Build It Right” philosophy in one word, it is “monitoring”. In fact, a quick query of the PDF reveals that monitoring shows up over 300 times.

NIST is a strong believer in continuous monitoring, which is an important part of its baseline security controls. So if you look through specific controls, say Access, you’ll spot references to monitoring of user accounts for unusual activity, and monitoring of remote access for unauthorized connections. The M word shows up often in the other 17 controls.

According to NIST Fellow Ron Ross, monitoring gives decisions makers “near real-time information” to respond to cyber attacks. It’s really a way of saying that no matter how good your frontline security is, you’ll need to monitor preventive controls to make sure they’re not changed incorrectly, and monitor activity to spot the attacks that fall through the safeguards.

Monitoring activities in complex systems is, of course, a perfectly respectable approach for companies outside of the world of oil refineries and hydroelectric dams. We recently published the results of a survey conducted to learn how prepared companies are in detecting data security incidents in real-time.

The results show there’s much room for improvement—a mere 6% have true real-time capabilities to spot breaches in progress. The rest have varying levels of notification technologies, and an eye-brow raising 24% have absolutely no alerts in place.

I won’t try to guess how critical infrastructure operators would perform in our survey—we hope it’s better than 6%. The key point, though, is that the US government recognizes that monitoring technology is an essential part of our national defense against cyber attacks.

We’ll have more to say on this in the coming months.

Rethinking bricks and mortar

Speaking at PSFK CONFERENCE 2013, Rachel Shechtman, founder of STORY, laid out the fundamentals of her retail concept and gave an update on recent themes. Shechtman describes STORY as a 2,000 square foot space that has the point of view of a magazine, reinvents itself entirely every four to eight weeks like a gallery, and sells products like a store. This multi media concept combines curation and editorial content with traditional brick and mortar retail.

I must say that the video is truly inspiring, especially when you look at all the empty retail spaces up and down the high street in every UK city. Local entrepreneurs could really look at this concept and partner with local colleges, bars, stores, online retailers to create branded pop-up stores that could be supported by local councils. This innovative strategy could help with creating more of a local feel to retail, add to this technology for taking payments etc and the cost of set-up could be dramatically reduced.

Local councils take a look and start to engage key stakeholders to deliver real community value.

Yet Another Reminder that Cybercrime Isn’t Going Away

Posted on June 25, 2013 by Andy Green

Last week, PricewaterhouseCoopers released their 2013 US State of Cybercrime Survey. Coming on the heels of Verizon’s 2013 Data Breach Investigations Report, recent ID theftdata from the FTC, and our own Privacy and Trust Survey, the PwC report fills in additional details on what is an all too familiar background: many companies are unprepared to handle breaches. According to the Cybercrime Survey, which was based on interviewing 500 C-level executives, almost 30% said that they did not have a plan in place to respond to cyber-security events.

Even more dispiriting is that the percentage of “don’t knows” in response to questions about corporate security practices and breach incidents hovered in the 20% range. These are not just any C-levels, but mainly CIOs, CTOs, and CSOs saying they don’t have the information to answer basic questions about types of threats, incident planning, and financial impact of breaches. PwC describes the situation as the proverbial frog in a slowly boiling pot of water. In other words, tech-oriented decision makers find the current situation uncomfortable but not intolerable, and seem to believe it won’t get worse.

There’s a small spot of good news in that C-levels understand that multi-factor authentication, one-time passwords, encryption, access controls, and role-based authentication should be part of any prevention and mitigation program.  That is a good start.

However, the PwC survey team makes a strong case that executives seem unable to properly apply security technologies, taking a “throw everything at the problem” approach.  Given a long list of solutions, they rate as equally effective the previously mentioned short list, as well as biometrics, spam filtering, rights management, and application configuration management.

Of course, everything has its place, but as security experts have been saying for years, strong passwords and strong authentication will stop many hacking attempts before they really get started. If hackers or malware, especially advanced persistent threats or APTs, do get past IT’s front line defenses, then well-maintained access controls are extremely effective in helping to prevent personally identifiable information (PII) and other confidential data from being taken from file servers.

I’ll add file-level auditing–which wasn’t mentioned in the PwC survey—as another effective Plan-B strategy. It’s a detective control that can spot a breach in progress, and make breaches that do happen much easier to quantify and recover from. Security pros know all to well—see Verizon’s DBIR– that  cyber thieves often have months to lurk in file systems, and so the quicker they’re spotted through their unusual access patterns, the less chance they’ll have in finding high-value content.

One of the take-aways from the PwC survey is that C-level executives  need more education and training on data security. Simply throwing the same-old technology at the problem won’t necessarily help as hackers evolve their threat actions, especially in the area of social attacks.

Lesson for C-level suite: the water will get hotter.

By the way, we’ll be adding some additional data points into the security conversation with a new survey that we’re just finishing up. Check back with us next week.