Planet SCM

I've taken a couple opportunities to express my concerns with the Real ID Law.

Wilson Dizard III shared this list in a recent edition of Government Computer News that I felt was worth sharing with you.

Ten Top Real ID Complaints

The Real ID law has met with a fusillade of criticism from state and federal lawmakers, privacy advocates, state executive branch officials and commentators. Opponents have cited dozens of potential technical problems, including:

10. Only one of the five national systems that state motor vehicle departments will need to implement the Real ID law is currently ready, according to the National Governors Association. DHS itself concedes that some federal “reference databases” aren’t yet complete.

9. Real ID calls for states to use a single array of security features for driver’s license cards, which could force states to abandon existing card issuance systems.

8. The federal government lacks a uniform naming convention that would facilitate states’ electronic verification between files.

7. The door remains open for creation of a de facto national identity database.

6. The draft Real ID rule doesn’t include a redress process, which likely will become a technical as well as a policy issue, because thousands of people now have driver’s licenses with faulty data.

5. The draft doesn’t require that data on the license’s machine-readable zone (MRZ) be encrypted. DHS has said that distributing encryption keys, or a single, common key to the 16,000 state and local law enforcement agencies that will need access to the MRZ data would pose an unacceptable challenge. The department said it would favor MRZ encryption if the practical problems could be solved and raised the possibility that the MRZ shouldn’t include the bearer’s address.

4. Some critics charge that Real ID magnifies privacy risks, partly by shirking the requirement that federally sponsored systems meet the standards of the Federal Information Security Management Act. The draft rule states that it doesn’t create a national database because it leaves the interstate data exchange decisions to the DMVs. That statement prompted Jim Harper, director of information policy studies for the Cato Institute, to posit that DHS was saying, “My car didn’t hit you—the bumper did.”

3. DHS has failed to require that the MRZ omit the race identifier field.

2. Real ID fails to take advantage of identity verification processes the federal government already carries out when it issues passports, military IDs, Transportation Worker Identification Cards and some federal employee credentials. The National Conference of State Legislatures has asked why, if individuals holding such documents can already board an airliner, they should be checked again to get a driver’s license.

1. Technical challenges, such as the apparently inadvertent omission of several categories of legal residents eligible for the credentials and the high cost to states of complying with the law, have spurred a vigorous rejection campaign in state capitals. Idaho and Maine already have enacted laws rejecting the Real ID requirements, and similar legislation is pending in dozens of additional states.

I'd like to hear your comments, pro or con, on this law.

According to headlines on ComputerWorld yesterday, the largest spam attack in the past year is well underway.

"Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers," according to the article by Gregg Keizer.

Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, according to Adam Swidler, senior manager of solutions marketing at Postini, who was quoted in the article.

This attack is certainly a good reminder that systems need to have anti-virus and anti-spam software installed and operating, but, perhaps even more than that, it's a great reminder to use common sense and don't open emails or attachments unless you know their source. 

It's always gratifying to post your thoughts in a blog and then see it validated somewhere else.

A few weeks back, I shared my thoughts on why the Real ID Act was a really bad idea. In a recent edition of GCN, columnist William Jackson offered similar opinions to mine.

In his commentary, Jackson makes these important points:

1. The Real ID Act is an unfunded mandata
2. While the deadline for implementation is May 2008, Homeland Security still has yet to release compliance regulations for the Act
3. The Real ID Act requires interconnected databases of personal information on each of the 245 million people receiving cards, with absolutely no safeguards on the data or how it can be used
4. The Real ID Act was passed without that debate - it was slipped into a spending bill that provided relief funding for troops and tsunami relief

While 25 states are either urging Congress to repeal or reform the law, only Maine has actually passed a resolution refusing to comply.

I agree with Jackson - the issue is not what can be done to delay or reshape the act, as some in both the House and Senate are attempting to do, but, is a national ID advisable at all?

We all must understand - this is legislation that has passed. Without action, it will be implemented in just over a year.

No one should let that happen...

Frank Hayes, senior news columnist at Computerworld, is one of those writers that makes you want to read a magazine from the back to the front. Hayes' column, Frankly Speaking, appears at the very back of each edition and is almost always a "must read."

Last week, Hayes' column, 8 Million Reasons, really struck a chord with me. Sometimes we spend so much time trying to blame somebody for problems, we fail to make the effort to identify ways to solve the problem.

One of the revelations coming from the TJX breach was the arrest of a Florida gang who had used some of the stolen cardholder information to obtain at least $8 million in Wal-Mart gift cards. Hayes' identifies two key areas where IT could have thwarted or at least minimized the gift card scam.

1. After credit cards are reported stolen and have been deactivated, retailers should use the list of stolen card numbers to automatically search its own recent transactions for suspicious activity - such as the sales of gift cards. If they find cards that were purchased with stolen cardholder information, they could deactivate the card and recover some of the money.
2. Even if gift cards purchased fraudulently have been used, those transactions could be flagged so that if the merchandise is brought back for a refund, the transaction should be flagged to be spotted at that point. Again, merchandise is recovered and there is no further cash loss from providing a refund.

Hayes points out that IT has the ability to make this all possible automatically and continuously. The data is there, but the software and database performance isn't.

It's easy to point fingers in a case like TJX. The hard part is to do something about it. Taking steps to blunt the gift card scam is one really positive way to help blunt the value of stolen cardholder data.

TJX's 10-K filing to the Security and Exchange Commission was made public Wednesday and has made for a whole new set of news stories, blog posting, and speculation.

The report seems to indicate that the TJX Companies, Inc. were employing encryption technology on their cardholder transactions and did delete confidential data on some sort of a regular basis. That's the good news.

The bad news is the intruders apparently were able to capture the card information of 46 million users by installing software on the systems at TJX's Framingham headquarters that copied the information prior to it being encrypted. TXJ also admitted that it appears the intruders had a copy of their encryption key, apparently as a back-up in case the software failed to work or the data was encrypted prior to the point where the software captured it.

Needless to say, the new questions will swirl around how rogue software was allowed to remain in their systems for so long without detection, as well as how the key was obtained.

The information in the 10-K only reveals TJX's perspective of what happened. It will be interesting to see what is revealed as the SEC begins to dig into this further.

Have these latest revelations changed your perspective on the TJX breach at all? I'd be curious to hear whether these new details are swaying opinions, one way or the other.

I wrote a few weeks ago about the incredible abuses of data perpetrated by the Governor of Arkansas and the Chicago Elections Board. So, I just had to shake my head when I read Jim Rapoza's column in eWeek.

Raposa calls out the schizophrenia that appears to be affecting Congress with the introduction of the Personal Data Privacy and Security Act of 2007 which is designed to provide prompt notification to victims when data breaches occur and to make companies accountable for the lack of security that may have led to the breach (think a national version of California SB 1386).

The flip side of this is Rep. Lamar Hunt's Safety Law. It's intent is to stop adults who exploit young people over the Internet. However, the law, if passed, would require ISPs and possibly every Web site to store all the data of Internet users just in case its needed in a future court case. There would potentially be no maximum time limit for this data to be retained. There's even a possibility that this law could allow this data to be used for civil legal actions. Can you imagine the potential ramifications of that? Employers scouring over employee Internet use. Divorce cases with Internet activity disclosed.

Ironically, this same Rep. Smith was also the sponsor of the Telephone Records and Privacy Protection Act of 2006, which protects phone records and make pretexting illegal.

A reasonable balance needs to be found between individual privacy and the need to retain certain data necessary to identify illegal activity. But is Congress, with all of the various special interest groups pandering to them, the right people to find this balance? 

I don't know if you've been following the story on Real ID, the Department of Homeland Security's controversial plan for the first national ID system. I've been watching it, especially with neighboring states like Maine already rejecting the bill and Massachusetts considering it. In all, 38 states are in the process of passing legislation against this bill, according to an article in eWeek.

I have to tell you - I find it incredible that the Department of Homeland Security is behind this bill. First, the track record of the Federal Government demonstrating strong information security practices is...not good. Remember the small problem the VA had with 26.5 million veterans records? How about those sterling FISMA grades?

This biggest flaw with this act, which managed to get pushed through without a single hearing, is what a huge target it is for identity thieves. Apparently I'm not alone in that opinion, as other analysts are starting to speak up. One of the fastest growing targets for these thieves are state Departments of Motor Vehicles - and there's 50 of them! What happens when all that data is in one place?

You've created the Perfect Storm of data insecurity - the Federal Government managing a single database containing an entire country's personal information.

Who came up with this idea again, Homeland SECURITY?

We're less than 24 hours away from changing the clocks for Daylight Savings Time - a full three weeks in advance of past years. Based on the number of articles and blogs published this week on the subject, a lot of people are scrambling at the last minute to get ready.

In fact, according to an article earlier this week in ComputerWorld. A lot of people are being caught off-guard by just how much of a challenge DST patching has created. In the story, Forrester Research analyst Ray Wang is quoted as saying, "the early time change is turning out to be 'a bigger deal than vendors or customers had expected.'"

As the reality of how big a deal was setting in, frustrations apparently have been rising. A late week article on eWeek.com said many Microsoft customers are venting in on-line chat rooms about their experience.

I don't usually plug our products here, but, If you still find yourself without a solution for patching in place, my company, Ecora Software, is offering free trials of our patch management tool to help organizations through the DST process. In addition to automating the deployment of Microsoft's patches for DST, you can also patch non-Microsoft applications that run on a Windows platform as long as you have access to the patch file.

Let me know how your experience goes with DST and what lessons you've learned.   

Daylight Savings TIme arrives early this year - this Sunday, in fact. Hopefully, you're already aware of this news. But, if you haven't, embedded in a federal energy law passed in 2005 was a change to Daylight Savings Time that pushed it three weeks earlier in the year.

While not be prepared could just fall in the nuisance category for most, being off by an hour in some organizations could cause some larger headaches.

Microsoft is putting in an all-out effort to ensure its customers are prepared. According to a post on ComputerWorld, Microsoft support will be hosting a series of webinars through the course of the week. You can find a full list of Microsoft's offerings related to DST here.

There's good news and bad news for users of Windows 2000, Exchange Server 2000 and Outlook 2000, the e-mail and calendar client included with Office 2000. Microsoft is charging a tenth of what they charged for previous patches on software with limited support, but it still amounts to a $4,000 bill. For that amount, you can apply the patches to all systems in their organizations, including branch offices and affiliates. You just can't re-distribute it.

But, for users of Windows NT, Exchange Server 5.5,, and Outlook 97, there will be no patch for you. Microsoft stopped support on these several years ago and has deemed the patch to difficult to develop for these products.

To read more on DST, you can check out Renee Ferguson's post on eWeeks' Microsoft Watch.

I've noticed a lot of attention paid to this in the past week. Knowing how overworked most IT staffs are, I imagine there are more than a few organizations that are behind the eight ball on this.

Stay tuned. We'll all see what impact the DST change has on Monday. Should be interesting.

The growing magnitude of the TJX Companies, Inc. data breach brought out a whole new wave of headlines last week. I was contacted by a number of editors for my thoughts, having spent much of my professional career aiding companies in gaining enterprise configuration visibility to ensure their IT infrastructures are secure, compliant, and effective.

On Friday, Jaikumar Vijayan included my comments in two of his articles on Computerworld.com.   In one, I addressed why data breaches could occur over such a long time, as in the case of TJX. "When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and ... follow the movement of data" on their networks. That makes it possible for such breaches to go unnoticed for a long time indeed.

"The underlying problem is that companies are treating security as a 'nice to have' as opposed to a 'must have.' TJX is just the tip of the iceberg. I think we are going to see many more. It's going to get a lot uglier before it get's any better "

Here's what I had to say in the other article on legislation introduced in Massachusetts to make retailers more accountable for breaches.

"It's impressive that Massachusetts has taken the first step forward in dealing with retail security issues. Unfortunately, in the retail community, they are all trying to keep a lid on any kind of expenditures and have paid scant attention to information security. I am very much for this legislation. I think it was inevitable."

Mark Reinertson posted comments last week that make some good points about the ignorance of some retailers to data security and what's it's costing us. Check it out. It gives good reason for why retailers need to be held more accountable.

The growing magnitude of the TJX Companies, Inc. data breach brought out a whole new wave of headlines last week. I was contacted by a number of editors for my thoughts, having spent much of my professional career aiding companies in gaining enterprise configuration visibility to ensure their IT infrastructures are secure, compliant, and effective.

On Friday, Jaikumar Vijayan included my comments in two of his articles on Computerworld.com.   In one, I addressed why data breaches could occur over such a long time, as in the case of TJX. "When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and ... follow the movement of data" on their networks. That makes it possible for such breaches to go unnoticed for a long time indeed.

"The underlying problem is that companies are treating security as a 'nice to have' as opposed to a 'must have.' TJX is just the tip of the iceberg. I think we are going to see many more. It's going to get a lot uglier before it get's any better "

Here's what I had to say in the other article on legislation introduced in Massachusetts to make retailers more accountable for breaches.

"It's impressive that Massachusetts has taken the first step forward in dealing with retail security issues. Unfortunately, in the retail community, they are all trying to keep a lid on any kind of expenditures and have paid scant attention to information security. I am very much for this legislation. I think it was inevitable."

Mark Reinertson posted comments last week that make some good points about the ignorance of some retailers to data security and what's it's costing us. Check it out. It gives good reason for why retailers need to be held more accountable.

I know politicians are easy fodder to pick on and probably some of it is undeserved, but when I read a recent copy of Computerworld, I just couldn't help myself.

The cover featured an article on the Governor of Arkansas, Mike Huckabee. Seems Governor Huckabee decided to do some house cleaning before leaving office to make life easy on his replacement - he ordered the destructuion of hard drives in nearly 90 computers before leaving office!

What makes matters worse is Governor Huckabee has declared himself a candidate for President in the 2008 election. Even if there was nothing scandalous on the hard drives, wouldn't you think destroying them as you're about to enter a campaign is just a little curious?

Ironically, the flip side of Governor Huckabee's "data disappearing act" was just a few pages away in an article on the Chicago Elections Board.

Seems a 2003 fire in the Cook County Administration Building led to the distribution of more than 100 CDs with the social security numbers and personal information of more than 1.3 million voters to aldermen and members of local ward committees. Not only could they access the information, they could actually make edits and delete information!

The irony of this in my mind, besides the incredible extremes of abuse, is the fact that the regulatory compliance burden on organizations is generally imposed by politicians.

Sounds like it's time for the politicians to get their own data under control(s).

I know politicians are easy fodder to pick on and probably some of it is undeserved, but when I read a recent copy of Computerworld, I just couldn't help myself.

The cover featured an article on the Governor of Arkansas, Mike Huckabee. Seems Governor Huckabee decided to do some house cleaning before leaving office to make life easy on his replacement - he ordered the destructuion of hard drives in nearly 90 computers before leaving office!

What makes matters worse is Governor Huckabee has declared himself a candidate for President in the 2008 election. Even if there was nothing scandalous on the hard drives, wouldn't you think destroying them as you're about to enter a campaign is just a little curious?

Ironically, the flip side of Governor Huckabee's "data disappearing act" was just a few pages away in an article on the Chicago Elections Board.

Seems a 2003 fire in the Cook County Administration Building led to the distribution of more than 100 CDs with the social security numbers and personal information of more than 1.3 million voters to aldermen and members of local ward committees. Not only could they access the information, they could actually make edits and delete information!

The irony of this in my mind, besides the incredible extremes of abuse, is the fact that the regulatory compliance burden on organizations is generally imposed by politicians.

Sounds like it's time for the politicians to get their own data under control(s).

You've got to love a story that starts out with a solid value proposition. In Patrick Thibodeau's story on the upcoming ITIL update, he begins by sharing that the IT Department at Raymond James Financial Inc. was able to reduce Help Desk tickets by 25% in the 18 months after implementing ITIL. Now that's a statistic that should get some attention!

The reality is, if organizations are able to see these benefits from the existing ITIL framework, they should realize even greater benefits from ITIL 3.0. This latest update, due out in April, holds a lot of promise, particularly with the addition of security to the library. Today, a gap exists between thesecurity world and the CMDB world, yet there is one unified IT infrastructure that should be the concern of all parties.

I am also pleased to see outsourcing addressed in this update. If you are going to switch teams. you have to have your servers well-documented. Sorry for the shameless plug here, but Ecora has been documenting servers since 1999. Without documentation, all this knowledge remains in people's heads. How do you transfer that information to "other heads"? You've got to write it down. The trouble is, who has the time? That's why automated documentation software like Ecora is the only way it will ever get done and stay current.

You've got to love a story that starts out with a solid value proposition. In Patrick Thibodeau's story on the upcoming ITIL update, he begins by sharing that the IT Department at Raymond James Financial Inc. was able to reduce Help Desk tickets by 25% in the 18 months after implementing ITIL. Now that's a statistic that should get some attention!

The reality is, if organizations are able to see these benefits from the existing ITIL framework, they should realize even greater benefits from ITIL 3.0. This latest update, due out in April, holds a lot of promise, particularly with the addition of security to the library. Today, a gap exists between thesecurity world and the CMDB world, yet there is one unified IT infrastructure that should be the concern of all parties.

I am also pleased to see outsourcing addressed in this update. If you are going to switch teams. you have to have your servers well-documented. Sorry for the shameless plug here, but Ecora has been documenting servers since 1999. Without documentation, all this knowledge remains in people's heads. How do you transfer that information to "other heads"? You've got to write it down. The trouble is, who has the time? That's why automated documentation software like Ecora is the only way it will ever get done and stay current.

An article this week on SearchCIO.com by Kate Evans-Correia highlighted a somewhat "laissez faire" attitude IT managers are taking related to the upcoming changes in Daylight Savings Time.

In case you're not up to speed (this change was bundled in a Federal Energy bill in August of 2005, so it'd be easy to miss), Daylight Savings Time this year will begin on March 11th, extending the annual clock change by about four weeks. The issue is many computer applications that have a time function are all written based on the conventional April to October timeframe for DST.

Now, the consequences of not having your applications updated isn't going to stop the world. It could cause some real frustrations. Andi Mann, senior analyst at IT analyst firm Enterprise Management Associates in Boulder, Colo., was quoted as saying, "Planes aren't going to fall from the sky, but you might miss your plane."

If you're an organization that is time dependent, like transportation, it could certainly cause problems for both the transportation provider and the traveler. If the problem was with an investment firm or one of their customers, I clock discrepency could result in an order being executed an hour off from the expected time - potentially costing one of the parties a significant amount of money.

One of the larger issues the article didn't reference is the need make sure every system is up-to-date. With decentralized offices, DMZs, laptops, and mobile devices to be patched, it could be a real challenge to know everyone is on the same page. It could get more than a little frustrating to set up meetings if everyone is operating on a different clock. On a more serious note, what if security systems kicked on at the wrong time?

Automated tools for collecting and reporting on enterprise configuration and change information can play an important role in ensuring all your systems are updated properly. Solutions like Ecora Auditor Pro, from the company I founded back in 1999, can be used to audit and validate  application versions by inspecting file dates and sizes and registry keys. You may have a similar solution at your disposal you'll want to consider.

The DST change may not be the biggest issue to face IT this year, but it is a potential headache that can be avoided by being proactive over the next few weeks and ensuring you have an automated way to validate that all your systems are properly patched.

In my post on February 9th, I shared my thoughts on the inevitability of consolidation among security vendors. Alan Shimel's blog on February 13th takes those thoughts even further, by identifying 3 specific ways consolidation is likely to occur. Mike Rothman added a fourth way in his post on the 15th.

I guess it's safe to say I'm not the only one thinking the security vendor glut can't last much longer.

What Does It Mean For You?

Top U.S. accountants say Information Security Management is the most important technology initiative of 2007, according to an article by Michael Hickens on internetnews.com.

The Annual Top Technology Initiatives Survey of more than 1,500 CPAs conducted was by the American Institute of Certified Public Accountants (AICPA) and showed greater awareness of private- and public-sector data breaches, as well as new compliance and e-discovery issues. In addition to Information Security Management, the survey showed concerns about Identity and Access Management, Privacy Management, and Conforming to Assurance and Compliance Standards.

Knowing that CPA firms are often on the front-lines when it comes to compliance audits, what should this mean to you?

To me, it means internal and external accountants are going to be heavily focused on who has access to confidential/privileged data and what those individuals are doing with that data.

For you, this will mean even more audit scrutiny on the access controls in place surrounding your data. If you don't have an automated solution for validating these controls, you will be in for an even longer, more painful, and more costly ordeal when your next audit rolls around.

As I made mention yesterday, I expect to see significant consolidation among security vendors. There is simply too much segmentation in a market that needs an enterprise-wide soltion.

Here are three specific examples of what I'm seeing:

1. Anti-virus vendors are extending their solution set. With Microsoft getting in the game and threatening their major revenue stream, companies like Trend Micro, McAfee, and Sophos are all looking to expand their offerings and will likely combine forces with complementary solutions that will allow them to replace what could be a dwindling revenue stream from their core offerings.

2. There is already tremendous consolidation in the Network Access Control space (NAC), products the monitor when you connect to the network and, if you don't pass muster,quarantine your access. These are only a portion of the enterprise security solution and you can expect companies in marketing this technology to broaden their influence in the infrastructure or be swallowed up by someone looking to develop a more comprehensive enterprise security offering.

3. The space I've focused on for the past seven years, automating the collection and reporting of enterprise-wide configuration changes, is likely becoming ripe for consolidation. There are more amd more vendors collecting differing levels of configuration information from a variety of perspectives - data centers, asset information, security information, across varying parts of an enterprise.

Some of these consolidations are underway, notably the Symantec acquisition of Altiris. Who will be next and how soon will remain to be seen. The IT security space is growing rapidly, especially given the growing importance of protecting data. There is bound to be a lot of activity between now and next April when RSA returns to San Francisco.

A major shift I'm seeing throughout the sessions I've attended and the conversations I've been having this week at RSA is a changing focus in IT security from network or perimeter security (firewalls, content filters,etc.) to data security - much more than in the past.

Most of the major messages coming out of both the keynote presentations and the breakout sessions are revolving around securing databases, applications, and file servers. "Who has access to your data and what are they doing with it" is a common thread to the conversations I'm hearing this week.

Another observation I've made at RSA is the number of solutions offered in the security space is bewildering. It is truly "solution overload." It is hard for me to see how a security professional can understand what all these products do, especially when a lot of vendors are offering a 2" solution for a problem that's 2 miles wide.

Securing an IT infrastructure a multi-dimensional problem that no one company can solve. On the other hand, no one can possibly be successful securing their enterprise if they have to piece dozens of solutions together. There will continue to be significant consolidation among security solution providers in attempt to bring more depth to security solution offerings.

I will share more of my observations over the coming days. I would look forward to hearing your thoughts on either of these points, your own observations on the current state of information security and the technology and solutions available, regardless of whether you are in attendance at RSA or not.