I always enjoy reading Jenn Leggio’s Social Business column at ZDNet and am thoroughly enjoying 100 Brains. Today she interviews Microsoft Security Guru Katie Moussouris, focusing on some social media security specifics that I found particularly interesting.

Before writing about what I found specifically intriguing, I want to digress slightly to headlines of the past couple days related to Facebook’s third-party app privacy flaws (or I guess you would call flaws “features” if you were on the third-party app side ). The headlines made it sound as if there was some profound revelation in that Facebook was — can you imagine — not protecting users’ privacy, gasp! When the headlines broke, the first thing I posted on my Facebook was that I could hardly believe by now that anyone using Facebook does not understand that virtually anything and everything they post is, in a word, accessible. Anyone who hasn’t figured out that Mark Zuckerberg is providing a place to “share” and not “hide” information really doesn’t get the whole point of the site.

Back to the Leggio column with Moussouris. The QA I found intriguing (because it backs my opinion) is this:

Q. There’s a lot written about security and social media and education. Do you think it is reaching the right people?

A. I think that it doesn’t matter who it reaches, as there will always be people who will flock to social media sites regardless of whether or not their info is secure.  I personally assume and accept the elevated security risk in using social media. There was a time I tried to resist using graphical web browsers (I used lynx), due to my inherent paranoia, but the draw of The Onion online with hilarious photos drew me in and I began using another browser.  Similarly, the convenience features, and lure of all your friends in social media will draw even some of the most paranoid security people to join in. I think the right education for everyone about current social media and security is to set the expectation that it bears security risk, and that’s that. Use at your own risk!

Facebook, and any online social community, “bears security risk, and that’s that.”

One final thought:

There are instances where security risks on Facebook and the like aren’t inherent in the purpose of the technology, which, again, is to share and not hide information. These instances include social engineers and other attackers who blatantly attempt to suck users in with malicious links and nefarious offers. Does Facebook have an obligation to keep the criminals out and its users protected? I don’t want to get into this philosophical argument but I will opine that we — users — are placing a rather unrealistic expectation on Zuckerberg if we thing that he alone can solve the problem of Internet crime and security.

RSA Conference 2010 is here, that’s especially true if you’re in PR and you have an information security client that’s contracted with you to raise awareness for them at the show among media and bloggers. If you’re representing McAfee, Symantec, Cisco, RSA (EMC’s security division) or another mega IT security powerhouse, stop reading — you should be able to attract big ink and electrons based on their size alone. These companies have so many thousands of international customers and so many people dependent on their latest versions that journalists and bloggers owe it their loyal readers to keep them informed on their latest moves.

If, however, like most of us, you have a smaller client with news that is worthy of coverage but not necessarily able to compete with the biggies, don’t despair, there’s ample opportunity to get your clients the coverage they deserve and need.

If you are representing one of the smaller players in the market, there are a few steps you can take to secure them coverage, when pitching for a briefing remember to:

• Develop a story around your clients’ news that relates to common trends that will rise out of the conference. Does your clients’ news fit in with the cloud, social networking, Web 2.0, application vulnerabilities, the next wave of viruses, Obama’s plans for cybersecurity, protection of digital healthcare records?
• Start reaching out for briefings now, you may not be able to get what you’d otherwise like to during the actual show, but you may be able to do a fair amount of phone briefings leading up to it, thus ensuring that your client is part of roundups and other show-related features that publish.
• Consider making your announcements a week before the show. Breaking news leading up to the conference provides press and bloggers with an opportunity to write about developments outside of those they need to cover at the show itself. Enabling them to provide a wider variety of news and information to their readers while at the same time alleviating pressure on them to have to try and cover everything the week of the show may be of help to them.
• “Cyberthreats,” “Cybersecurity,” “Cyber-this and Cyber-that.” Remember, telling a writer that you clients’ new version and its features responds to cyberthreats, is a little ambiguous at best. When talking to the media and bloggers, specify the threat it defends against, “My client’s new feature was used by company Such-and-Such to thwart Conflicker, here’s how …,” is valid information that the information security community can actually use to improve the security environment — news a blogger or journalist could actually attract readers with.
• Consider responding to the RSA blogs. Chances are journalists and bloggers covering the show will, at some point, review at least some of these and possibly formulate ideas — if you’re client is on the ball with being part of these then you just might earn them a little play.
• Know what the journalist or blogger you are reaching out to covers; understand their beats. I know, I know — this little bit of direction can be as ambiguous as my thoughts on the use of the term “Cyberthreats.” What I mean by this, is that you should know a few basics prior to your approach: 1.) do they cover product announcements? 2.) do the vast majority of their articles include customer interviews? 3.) are they primarily focused on keeping up with the latest threats? 4.) are they channel-focused or vendor-focused? 5.) do you see any direct or inferred theme or pattern in their last five to six published articles? 6.) Do they rely on hard facts and information that comes out of surveys and other studies? If you have answers to these questions, then you’ll know what to bring them.

Hopefully, these tidbits of information will help you secure some of the coverage you’re on the hook for. They’re by no means full proof but they are based on what I’ve learned through experience over the past few conferences. Watch for my soon-to-publish survey results of journalists’ and bloggers’ top peeves when it comes to pitching them for RSA briefings.

Posted by Joe Franscella – 12-28-09 –

The appointment of Howard Schmidt to the position of White House Cybersecurity Coordinator is further indication that President Obama’s administration acknowledges that effective cybersecurity can mean the difference between life and death. The administration should look at cybersecurity in this way, after all, cyberspace provides criminals and terrorists with a platform to launch attacks against the US that could have fatal results.

Appointment of an official to a new position is only a first step though, the question remains, “what will Schmidt do?”

It makes sense for Schmidt to engage with private business to address cybersecurity problems and to close security gaps — the White House may be responsible for defending the nation but private enterprise produces the technology that fuels and defends cyberspace.

Schmidt will undoubtedly seek counsel from established IT security vendors, vendors that will use these counsel opportunities to sell him on the importance of influencing congress to pass legislation calling for regulations that their solutions can provide compliance for. But, will these traditional vendors’ solutions be enough to close security gaps that could lead to fatal outcomes?

Any strategy that relies on technologies supplied by established, major enterprises as the sole means of ensuring security in cyberspace will fail. Evidence to this is clear, in the last year there have been dozens of reports and news headlines that have revealed cyberattacks that have resulted in compromises to top-secret defense initiatives, power grids and other critical systems. It’s safe to assume that most of those breaches took place on networks founded on established technologies.

To reduce risk, Schmidt is going to have to move beyond traditional Washington politics that drive public-private efforts. He is going to have to open Washington’s collective mind to listen to more than just the major enterprises that have lobby dollars available to shape thought on Capitol Hill, and he is going to have to reach out to innovative small companies and startups that have developed game-changing security technologies.

So, how should Schmidt engage startups and other small and innovative technology vendors that typically don’t have budgets for lobby efforts?

Some steps Washington could take to reach startups and small IT security vendors in the quest to reduce risk are:

1.    Establishment of federal grants for small vendors and startups to fund lobbying efforts
2.    Sponsoring a federal “Demo Day (or Week)” that provides small vendors and startups with funding to cover the costs associated with demoing their solutions on a DC stage
3.    Establishment of federal grants for small vendors and startups that could be used to fund marketing efforts focused on the federal government
4.    The formation of a federal VC banking system that provides taxpayers with equity stakes in IT security startups and small enterprises

When it comes to protecting the nation against cyberattack, foresight needs to be 20/20. It would benefit the nation to identify security technologies that reduce risk prior to a tragedy as opposed to after one. The only way to do this is to take steps that facilitate connections between the federal government and innovators that have the potential to change the game.

Nobody loves to get angry at Microsoft Windows more than I. At least a few time a day, I am annoyed over bells and whistles that pop up unannounced and uninvited, ticked over apps that just decide to stop responding or swearing while trying to find emails I know I sent and received.

Every now and then, here and there, I see something of interest that catches my attention that I think is worth commenting on (Bill Gates, are you not honored that you’ve got my attention?). This morning, I was scanning eWeek and Don Reisinger’s slide show: 10 Windows Security 7 Features You Should Know About caught my attention, specifically the slides related to BitLocker. Having PR’d for encryption clients, I was intrigued by the fact that the BitLocker functionality seemed to render some of the solutions I’ve hawked mute. The only thing the show left me wondering was whether or not BitLocker and the other security features responded specifically to specific compliance regulations — PCI and HIPAA included. I emailed Don to see if he had any further information on the subject. Hopefully he’ll respond.

Other news items that caught me attention today:

M86 Buys Finjan in Web Security Play
By Brian Prince at eWeek: Fresh off the acquisition of Avinti, M86 Security announces the acquisition of Finjan. The deal, made for an undisclosed sum, brings Finjan’s enterprise-class solutions to the company.

LinkedIN With ‘Bill Gates’
Kelly Jackson Higgins at Dark Reading: Bill Gates invited me to join his LinkedIN network. OK, so it wasn’t really Bill Gates, but as far as my email system, spam filter, and email client were concerned, it’s perfectly normal for Gates to send me a LinkedIn invitation.

ArcSight adds unstructured log analysis with Logger 4
By Robert McMillan of IDG News Service: Logger now offers integrated structured and unstructured data analysis; designed to mine unstructured computer logfiles for signs of hacking or illegal activity.

Manhattan DA Announces Major ID Theft Indictment
By George Hulme of InformationWeek: What is particularly disturbing in this case is the length of time, from November 1, 2001 to April 30, 2009, that the crimes were allegedly underway — almost 8 years.

Posted by Joe Franscella

I’m not big on press releases or announcements that start off by stating “… is pleased to announce …” But, I gotta say that in this particular case I really am pleased to announce (on Security Heavy) Trainer TV, my firm’s video contribution to the IT, marketing and public relations spaces.

Trainer TV is Trainer VP Ross Perich’s long-developing idea in action. Ross has brought his experience and talent as a former TV reporter and AP award winner to the regular show that not only showcases what’s happening in IT, marketing and communications, but also Trainer’s prowess at producing video. I am proud to say that I am Ross’ right hand man in the endeavor, have the opportunity to do much of the shooting and editing and I get to apply my skill at chroma keying and inserting digital backgrounds (unlike agencies that outsource this level of technical production, Trainer does it all in-house).

The first two segments we’ve released feature insight from security executives  interviewed during the Executive Women’s Forum (EWF) party held during RSA Conference 2009. The one above is about what keeps security executives up at night and the one below is about threats execs are on the look out for. Both  include comments from the heads of security at enterprises including McCormick Spices and Braclays Bank. We have more IT security segments coming out over the next coupld of months.

Click here to view the embedded video.

Found threatpost.com to be quite intriguing – I think its good news for the news industry that corporations are stepping in to fill some of the gaps that the slowing print industry is experiencing. Had a chance to interview editor Ryan Naraine on video about the new Web tech news outlet, I’ll be posting it next week.

Security Blogger Network Meet-up – Appreciated being able to mix with and meet some of the people I read ever day outside of the pressure of trying to pitch them; especially enjoyed the conversation with Chris Christianson on firewall audits.

Appreciated Andreas Antonopolous‘ virtual security panel with Chris Hoff, Simon Crosby, Stephen Herod and – sorry – can’t recall the other panelist’s name. Thought Andreas did a great job pulling the whole thing together with some actual solutions to the challenge.

Posted by Joe Franscella

To participate in the discussions and view the survey results, join them on Twitter @Secure Passage, Facebook and LinkedIn.

The discussion-sparking surveys are “Virtual Firewalls: Myth vs. Reality” and “Impact 09: How Reduced Spending is Affecting Information Security.” The virtual firewalls survey will look at how enterprises are using virtual firewalls in their enterprises; the IT spending survey will reveal how the current economic situation is affecting IT security spending and security overall. Both surveys will poll IT security decision makers from a wide range of industries. Results from the virtual firewalls survey will be released on Tuesday, April 21 at 4 p.m. PST; the IT spending survey results will be released Wednesday, April 22 between 9 a.m. and 11 a.m. PST.

Trainer Communications will also be there in force. Several companies are meeting with the company’s CEO Susan Trainer and Security Practice Vice President Mary Van Zandt to discuss how to improve their current marketing and communications. Both Susan and Mary have been in the marketing and communications game for more than two decades and Mary has spent a majority of that time focused on IT security. If you are going to be at RSA next week and want to get a gratis competitive media analysis between you and a leading competitor, contact Mary at mvanzandt at trainercomm dot com.

Until then – see you at RSA!

Posted by Joe Franscella

See:

As a financial services institution, you’re uniquely vulnerable to data breach. That means you’re also vulnerable to its potentially catastrophic costs.

Protecting your merchants. Securing their assets. Saving their businesses—and yours.

Equally interesting was that Royal Group reported that the 35 million number was a 50 percent increase over 2007.

Posted by Joe Franscella

“There is hacking,” says Legge. “Hackers are coming after the electrical grid all the time.” (Ed Legge is pokesman for the Edison Electric Institute (EEI), an association representing about 70 of the largest utilities which generate the bulk of the nation’s electricity through complex swatches of eastern- and western-distribution grids and management and control points called Independent System Operators)

What the security vendors said:

“The whole grid going down is the hardest one to believe,” says Eric Knight, senior knowledge engineer at Log Rhythm, noting the Wall Street Journal article lacked sufficient information “about why we should be panicking, per se.”

“This should come as a surprise to no one,” says Patrick Peterson, chief security researcher at Cisco, adding, “The truth is slowly coming out.”

Shane Buckley, CEO at Rohati, says he’s worries that “a number of utilities outsource development to Eastern Europe, Russia and China,” and cyberspy attacks could originate through outsourcing. (Disclaimer: I represent Rohati).

These stories hit hard and fast but I doubt they are over. It will be interesting to see how this plays out.

Network World’s Tim Greene launched his Cloud Security Alert newsletter today with a look at What is a cloud? Wrote Tim:

“So the cloud is a physical place, perhaps owned and controlled by some other entity, and it contains computing resources that are available pretty much on demand for a price. Simple enough, but there are plenty of variations.”

He goes on to explain it further, leaving the reader with a basic deffinition, something of value in today’s (excuse me for this nest description) “foggy cloud environment.”

In terms of cloud deffinitions, I also like the one in Gartner’s 2008 paper: Tutorial for Understanding the Relationship Between Cloud Computing and SaaS

In the paper, Gartner defines cloud computing as: a style of computing where massively scalable ITenabled capabilities are delivered as a service to external customers using Internet technologies. One IT-related function can be a software application. If the software application is written in such a way that it is “massively scalable,” then SaaS is considered a form of cloud computing (SaaS).

Posted by Joe Franscella

When learning about the system, the first thing that stuck out to me was how primitive, from a technological standpoint, it was. There were no alarms that alerted the power company when the power went out, it relied on calls from end users; the ultimate advance in handling downed high voltage power lines were rubber gloves and boots; and meters were still being read by service men and women who traveled door to door.

Deregulation was really what began to kick off a technological revolution in the industry and the Internet became the vehicle that allowed the market to be open to independent power and services vendors. California created the Independent Systems Operator (CalISO), a wholesale power clearinghouse that HQ’s in a state-of-the-art control center no doubt built on an IP infrastructure, independent technology vendors began to flood the market with “cost-effective” meter reading devices that operated through cellular relays and the Internet, and companies like Enron and Duke Energy played on the wholesale market through Internet-based trading floors. Fast forward to 2000, I was out of the power industry but heavily immersed in the middleware business as a communications manager for a major supplier. In addition to providing EAI for ERP vendors like SAP, one of the company’s primary markets was energy. It supplied much of the middleware that integrated trading applications.

In ’97 and 2000, the world was abuzz with integration and Internet-enabled technologies that were fueling the IT revolution for sure; no one was talking about security though. I can distinctly remember PeopleSoft’s (now Oracle) VP of marketing talking about the importance of 8′s pure HTML design during the big launch, but I can’t once recall him mentioning security.

Fast forward to today. The Wall Street Journal, CNN, Network World, CNET and SC Magazine have all printed features about a recent report that points out that cyber spies have infiltrated the US power grid via the Internet, leaving behind software (malware and bots I guess) that can feed back information and even allow them to disable the system.

As a communications manager with a power company in ’97, I read through hundreds of pages of deregulation related materials, as a communications manager with a middleware company I was immersed in Internet-based EAI daily, I can say with some degree of confidence that no one saw the security threats coming.

It will be interesting to see where this story heads. Could this be what sparks the next Microsoft-sized technology innovation wave? If a bot, malware, worm or something along these lines leads directly back to a foreign government’s intelligence agency, will that be what really forces technology to develop based on security first? It’s one thing to hack a defense system and get some information about defensive strategy of weapons development, being able to shut down the power is an entirely different matter. Imagine, all of the sudden, the power supply to Manhattan, San Francisco, Chicago, LA and Dallas shutting down – all at the same time. Remember the Road Warrior sequel Mad Max Beyond Thunder Dome — who really rules Bartertown?

Posted By Joe Franscella