Revenue, Profit and Spend on IT Security

February 14, 2011 by

In his 2003 Harvard Business Review article IT Doesn’t Matter, Nicholas Carr recommended that organizations:

1) Spend less on IT
2) Follow, don’t lead, and
3) Focus on vulnerabilities, not opportunities when it comes to IT.

IT Does Matter
Recent research – How the IT Masters Deliver More Value and Less Risk – proves that Carr was correct in recommending organizations should focus on vulnerabilities. However, the research proves there are some areas where firms should clearly lead.

It is also clear that spending less on IT, especially on information security and audit, is actually detrimental to business results including revenue, profit and customer retention. In fact, the research clearly shows about 2-in-10 organizations that spend the least on IT, information security and audit deliver the worst business results including the lowest revenue, profit and customer retention when compared with peers. Unfortunately, these same organizations are exposed to the highest business risks from higher-than-average data loss or theft rates, more business downtime and greater difficulty with audits.

In sharp contrast are the 1-in-10 organizations spending the most, that also post the best business results, including the highest revenue, profit and customer retention rates compared to peers. These same organizations are least exposed to business-jarring risks from data loss or theft, downtime or audits.

In between are a majority of organizations (7 in 10) that are under- or over- spending compared with peers. These same organizations are posting business results that are slightly on the negative or positive side of their peers, and experiencing risks from data loss or theft, downtime and audit that are similar to peers.

What it means for you

If you spend too little: it’s time to increase spend upwards

If you spend at average: it’s time to increase and reallocate spend

If you’re not reaping the benefits of high spend: it’s time to reallocate spend

Assess for Yourself, Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CFOs, CEOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: to find out more

HBR Article
IT Doesn’t Matter


How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes



NASDAQ Cyber Attack: Is More at Risk?

Cloud Computing: Information anywhere anytime

IT Value

Who’s Got Your Information — Today?


NASDAQ Cyber Attack: Is More at Risk?

February 10, 2011 by

NASDAQ revealed it was broken into by hackers on February 5, 2011 and unattributed but reliable sources state the hacks have been going on for more than a year. See the Star-Telegram article for more.

Is more at risk? You be the judge!
In his post on Zdnet in January 2008, Richard Stiennon presciently explained his view of the state of Cyberwarfare as follows:

Threat level 1: Travel warnings

Threat level 2: Nation States probe each others networks for vulnerabilities

Threat level 3: Widespread information-theft with intent to mine industrial and military secrets

Threat level 4: Targeted attacks against military and government installations

Threat level 5: Nation-to-Nation attacks with intent to destroy communications and disable business procedures and financial markets

Richard observed that based on events leading up to January 2008, he’d characterize the state of Cyber Warfare to be at Defcon level 4. The Stuxnet attacks of 2010 and most attacks on NASDAQ seem to indicate we might be closing in on level 5, even if the perpetrators may not be Nation States.

In his more recent blog at ThreatChaos Richard argues that strategic industries should go on high-alert with some observations about why State departments, Military, critical infrastructure industries, and computer and technology industries should go on high-alert.

The Sky in not falling, yet!
If you’re reading this, the Internet has not been brought down, you are not under attack, and presumably you are not under lock-down or responding to an emergency. Calmer perspectives and more information can be found at CyberDefcon where the focus in on providing information needed to make informed decisions. Among these is a great offshoot site called HostExploit providing insight into historical events, sites, operators, tools and locations of bot-nets, cyber-criminals and other malfeasance perpetrators.

Real-time alerts on your desktop
One of the better freebies is available from Symantec. A screensaver that is chock-full of information from its around-the-world sensors that are delivered right to your desktop. You can download this at Symantec Threat Monitor

Industrial-strength real-time alerts
If you are looking for customized real-time services for your business on threats that are specific to your organization, check out the more detailed services available from Impact-Alliance or from the Symantec Global Intelligence Network

Assess Your Posture and Readiness Compared to Your peers
In addition, the Assessments@ITPolicyCompliance provide a rapid way to assess your posture and readiness compared to others. Benchmarked against more than 4,000 other organizations, these quick two-minute assessments help to identify strengths and weaknesses against others in your industry, your peers, and best performing organizations.

Additional resources:

Hackers Attack NASDAQ Network, Probe On; Reports

NASDAQ hack a wake-up call for Exchanges

Hacking fears raised by Nasdaq OMX attack

US Congress Rallying Cybersecurity Bill After NASDAQ Attack

Cyber Defcon 4: : 2008 blog post at Zdent by Richard Stiennon

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Scan or Manage: Threats and Vulnerabilities

February 3, 2011 by

You buy a service from a vulnerability scanning company, check-off the box about managing Internet threats and vulnerabilities, and satisfy demands from auditors to implement a vulnerability management program, right?

Think again: this is exactly what 7-in-10 others are doing – and it’s not working!

It’s not working because:
– Minimum service levels and maximum acceptable risks remain undefined
– Less than half of the procedures to find vulnerabilities and threats are automated
– Less than on-third of the procedures to fix vulnerabilities are fully automated
– Many critical production systems remain uncovered
– Critical fixes and patches are mired by weeks-to-months long delays

When compared with peers and best performers, the impacts include: more difficulty with audits, more business downtime, higher theft and loss of sensitive information, and preventable damage to the brand and reputation of the organization.

The Assessments@ITPolicyCompliance enable you to determine how your practices for managing vulnerabilities and threats in IT compare with your industry, your peers and best performing organizations.

Visit: to find out more

The practices covered by the Vulnerability and Threat Management self-assessment include the percentage of IT assets that:

• Have antivirus updates consistently applied
• Are subject to vulnerability testing
• Are subject to penetration testing
• Are consistently patched and documented
• Have configuration settings and permissions consistently updated

In addition, the assessment is specific to your automation levels, days elapsed between vulnerability tests, revenue or agency budget, industry and locality.

Visit: to find out more

The intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes to existing practices that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested:
– managers in IT security and operations, audit, risk, and compliance

Time to value:
– minutes

Benchmark universe:
– more than 4,000 other organizations

Additional reading:

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Managing IT Configuration Drift, Controls and Risk

January 27, 2011 by

In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless. The sheer fact is that these are quickly changed by normal use, whether the changes are collateral from other changes being made, accidental or intentional.

Also known as configuration-drift, the problem affects every stack of technology being used by organizations, from outsourced Cloud-computing applications to web-applications and databases, underlying systems and networks, laptops, PCs and mobile devices.

Unfortunately, the unseen and unknown changes to technical controls are the very foundation of the next business disruption, or unauthorized access to applications, information and interconnected IT assets.

Patching: One possible solution?
There’s a lot of workarounds that can be used to achieve a temporary solution until patches are available. Then there’s the ubiquitous Microsoft Patch Tuesday as well as patches from other suppliers that must be scheduled, applied and tested. In other cases there are no temporary solutions and hard tradeoffs have to be made between convenience, exceptions and increased risk profiles. The sad fact is that most organizations sit on patches for months before applying even those deemed most critical.

Detect and prevent: the other solution?
Detect and prevent can only be achieved if IT assets are instrumented to provide the information from logs and events, IT assets are inventoried and continuous assessments are routine and visibility into the problems and risks are quantifiable. The reality is that only one-in-ten organizations are proactively using these kind of IT GRC tools.

In truth, different procedures and controls are more — and less — effective, under different circumstances, and some procedures are clearly more important than others.

The new Assessments@ITPolicyCompliance enable you to determine which procedures for managing technical controls are leading to the best outcomes against the real World practices of more than 4,000 other organizations.

Visit: to find out more

Find the answers to how your practices for managing technical controls compare with others, including:
• Your industry
• Your peers, and
• Best performing organizations

The practices covered by the Management of Technical Controls include:
• Whether IT assets are identified and classified
• If access to IT assets are segmented or otherwise limited
• Whether unauthorized access to IT assets is detected or prevented
• If audit trails and configuration setting are monitored
• Whether IT assets and configuration settings are tested
• If evidence from audit trails and configuration settings is gathered
• Whether gaps in technical controls are remediated and documented
• If IT assets are hardened
• Whether an inventory of IT assets is centrally maintained
• If your procedures are automated sufficiently

Visit: to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing technical controls are compared to your industry, your peers and the best performing organizations.

More importantly, the intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Additional reading:

Automation, Practice and Policy in Information Security for Better Outcomes

Business Continuity in the Real World

Don’t Fall for the Old Saw of Patch Management

Managing Third-party Evidence Requests

January 20, 2011 by

Recent discussions with people in numerous organizations reveals that requests for evidence — about compliance and certifications — between business partners, customers and suppliers is becoming unmanageable.

These requests for information have gone from just a few questions and maybe a document or two about four years ago, to hundreds-to-thousands of such requests, with many tens-to-hundreds of pages and many spreadsheets. Involving requests from customers, and demands of suppliers, organizations are beginning to drown in a sea of third-party certifications, audit and risk evidence requests.

Some of the information being sought is staid, such as “Do you have policies in place covering your information assets?” However other questions delve into trade-secrets, involving what organizations consider to be their secret-sauce.

For example, one recent request asked for the details of the indexing engine being used within a database for a transaction system a company used for booking many of its sales contracts. Another evidence request asked for a detailed mapping of meta-data that was being used behind the scenes for managing customer rewards programs. Neither of these requests was honored and legal counsel had to be involved in both to resolve the situations.

The explosion of third-party information, audit-evidence and certification requests is not limited to the private-sector. The public-sector with its many overlapping agencies may actually be some of the worst offenders in terms of the volume of the requests and the depth of information being sought.

In a few select cases, some firms are using more automated methods to request, gather and analyze the information to manage business risks that run from suppliers to customers. However for most, the procedures for issuing the requests, gathering information, responding to the requests, and analyzing the responses are highly manual, cumbersome and involve many different people in different job-functions.

For some, the information being sought is translating to less-agile market action and higher prices that are impacting the bottom-line in the private-sector. And, the information being requested is beginning to pose a threat to organizations where “secret-sauce” information is being sought or provided.

Given the litigious and risk-oriented complexion of the market, the behavior is unlikely to go away anytime soon.

Rather, it is time to formalize and automate the procedures and introduce controls, to manage the explosion of third-party evidence gathering, responding, and analysis.

Related research

How the Masters of IT Deliver More Value and Less Risk

Automation, Practice and Policy in Information Security for Better Outcomes

Want to find out how your organizations practices for procedural controls are impacting your organization, or how these compare with your peers?
Try the two-minute Assessments@ITPolicyCompliance

Cloud computing: Information anywhere anytime

January 14, 2011 by

Based on stats collected by about 35 percent of people in the world have access to the Internet today. There’s another 4.5 billion plus people to go before the Internet is a completed world-phenomenon. But for the estimated 2.4 billion people using the Internet today, there’s a lot of change coming.

Children born into developed countries in the year 2000 do not know of a world without the Internet. Libraries, card catalogs, radio, magazines, newspapers and television will all be different in 2020, and by 2040 these sources of information may no longer exist — as we know them today.

Social networking and Wiki’s are introducing new methods to publish and share information that will dwarf the world’s store of books, magazines, newspapers and television footage created prior to the year 2000. Two of the big social networks – Facebook and Paxo – combined are estimated to have more than one billion users. Add in the hundreds of other social networks around the world and the number of socially interconnected people approaches two billion.

Information anywhere anytime is being further ushered along with the adoption of multi-function devices such as smart-phones, touch-pads and tablets, all of which are projected to surpass shipments of PC, laptops and Netbooks by the end of 2012 (see the Morgan Stanley research presentation delivered by Mary Meeker.

Smart-phones of today may appear rather dumb by 2015 and downright stupid by 2020 as new technologies, new applications and lower prices combine to reach hundreds of millions, if not billions of people.

On-premises IT assets of today will not look like tomorrow’s business with off-premises IT assets, applications and information on application-http-steriods. Called Cloud Computing, it looks like timesharing on the scale of the Internet.

Get ready for the information anywhere anytime revolution; it promises to be beneficial to people, businesses and governments, if the security, risk and control issues can be tamed. Wiki-leaks are likely to be followed by many-more-leaks, until and unless the security, risk and control problems are tamed.

Data published by the Open Security Foundation shows 80 percent of lost or stolen sensitive information is due to web hacks, attacks, email hacks, viruses, stolen disk drives, stolen laptops, stolen media, and lost devices and media. None of these risks are going away with Cloud-computing. In fact, the likelihood that sensitive information is lost or stolen probably increases as Cloud-computing applications, information, and alternatives are more widely adopted.

Information anywhere anytime is appealing for many reasons, including lower costs, improved agility, reuse of capital for core-business initiatives, and much greater market-reach. It’s a trend that is overwhelming in its utility for businesses and consumers alike.

Just remember: your information anywhere anytime can and will easily become someone else’s information anywhere anytime. Fund the business risk, IT governance, security and control initiatives that are needed to protect your information anywhere anytime, or you too will experience your-own-leaks.

Related research
How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

Want to find out how your practices for policy and information controls are impacting your finances? Try the two-minute Assessments@ITPolicyCompliance.

IT Value

January 11, 2011 by

In 2003 on the heels of the Dotcom bubble, Nicholas Carr argues persuasively in his seminal article, IT Doesn’t Matter that strategic advantage from the use of IT is becoming increasingly fleeting and short-lived, that IT is becoming commoditized, and that risks left by the use of IT are more important than the advantages delivered.

His recommendations include:
• Spend less on IT
• Follow, don’t lead
• Focus on vulnerabilities, not opportunities

Advice on spend is a bit simplistic
In the latest IT PCG research report, How the Masters of IT Deliver More Value and Less Risk, the dictate to “spend less on IT” is found to be a bit simplistic – if not self-serving.

The best performers actually spend more on IT to drive value and manage risk
Research from 2006 through 2010 shows those organizations with higher revenue, profit and customer retention actually spend more on IT and information security to drive value and manage business risks related to the use of IT.

Where spend on IT delivers more value and less risk
The best performing organizations are using IT Balanced Scorecards, IT Strategy Maps, IT Portfolio Management and COBIT to drive value from the use of IT. Preserving value and managing risk is accomplished by the same organizations with the use of ISO-based information security practices, COBIT-defined controls and procedures, CIS defined benchmarks, IT GRC systems and applications, security incident and event management systems, and information security controls.

Highly automated, these organizations are reporting on value and risk daily, weekly and bi-monthly. The findings from the ongoing research show organizations taking these actions post much higher revenue, much higher profits, much less loss or theft of customer data, much less business downtime from IT accidents or disruptions, fewer vulnerabilities and far fewer problems with regulatory audit.

Do not follow the laggards: Instead follow-the-leaders
The only differentiation found in the research is among those spending less money for these initiatives, management tools and technology systems. Among these organizations, revenue, profits, customer retention are either average or worst-of-breed. These same organizations post the highest business risks from IT-related downtime, lost or stolen customer data, vulnerabilities impacting IT systems, and problems found from audit. The advice provided by Carr in 2003 to follow the leaders is sage advice.


How the Masters of IT Deliver More Value and Less Risk

IT Doesn’t Matter

Related research

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Want to simply find out how your organization compares with your industry, your peers or best performing organizations? Try the two-minute Assessments@ITPolicyCompliance

Who’s Got Your Information — Today!

December 29, 2010 by

The twenty most recent reported data-loss or theft incidents of 2010, based on data reported by the Open Security Foundation* impacted the following organizations:

– Farber Enterprises, 30 Nov 2010
– Houston Independent School District, 2 Dec 2010
– University of Arizona, 2 Dec 2010
– American Check Casher of Oklahoma, 3 Dec 2010
– Mesa County, Colorado, 4 Dec 2020
– University of Wisconsin, Madison, 9 Dec 2010
– University of Alberta, 9 Dec 2010
– Gaelic Athletic Association, 10 Dec 2010
– Walgreens, 10 Dec 2010
– Genesco, Incorporated, 10 Dec 2010
– Mountain View Medical Center, 10 Dec 2010
– McDonalds Corporation, 11 Dec 2010
– NatWest, 11 Dec 2010
– Gawker Media, 12 Dec 2010
– Department of National Defence, Canada, 12 Dec 2010
– Mesa County Sherriff’s Office, 12 Dec 2010
– Mountain Vista Medical Center, 13 Dec 2010
– Ohio State University, 15 Dec 2010
– NY State Office, Temporary/Disability Assistance, 15 Dec 2010
– Dean Health Systems, 20 Dec 2010

* Source: Open Security Foundation, 2010 (see

These twenty were preceded by another 351 during 2010, impacting: AMR Corporation, Aon Consulting, British Columbia Lottery Corporation, Citibank, Equifax, Federal Reserve Bank, Jackson Hewitt, Hartford Life Insurance Company, Loma Linda University Medical Center, Navy Federal Credit Union, NBC Universal, Paychex, Starbucks, St. Mary’s Medical Center, the U.S. Army, State Department and Verizon Wireless among many others.

For details of these and others, see the comprehensive database compiled and made available by the Open Security Foundation at

What Others Can Find Out about You and Your Employees
Think you’re immune to the problem? Think again! Your employees are leaving trails all-over the Internet for anyone to exploit.

Visit What The Internet Knows About You – Today!
See to test it out for yourself
See to read the background details

Due to lax or non-existent controls that make it easy to identify where your employees have been, who they are, and routes that can be used to craft attacks, it is rather easy to gather intelligence about you and your organization.

What Others Are Finding Out about You and Your Employees!
The widespread adoption of smart-phones, both inside and outside the organization, is leaving many firms exposed to personally identifiable data-sharing practices that are now being challenged in the courts. The most recent lawsuit targets Apple and the makers of Apps that run on the iPhone. The same Apps, App-makers and Android-based smart-phones could be next.

Read the news at:

Apple sued over iPad and iPhone Add ‘data leaks’

Apple, App makers hit with privacy lawsuits

Apple Sued for Allegedly Sending Data to Advertisers

The lawsuits do focus the issue on appropriate uses of personally identifiable data – even if it’s too early to decipher the outcomes.

Beyond PID: Financial, customer, audit, security and other sensitive information
What’s more important, PID covering your employees and your customers, or senstive information about your financials, audit profile data, internal fraud investigations, configuration control data for your websites and critical data-bases, information security controls and procedures governing access to sensitive information, information covering strategic partners, suppliers, mergers or acquisition-plans, patient data, new drug-testing results, utility-grid data, minerals-exploration findings, new manufacturing methods, board minutes … or other information?

• Whatever you value, is it worth protecting, do you know where it’s located, who has access to it, and how it should not be used?
If you can answer these questions immediately: count yourself among the lucky 10 percent of the population that can!

Do you know what your information risks are – today?
If you can answer this question in less than a week, count yourself among the prepared 8 percent of the population.
And, make sure the CEO and the board know about this.

Take Action — Today!
For 90 percent, it’s time to tell the CEO and the board what needs to be done, before you too become the next headline covered in the Wall Street Journal, The Washington Post, the BBC, and find yourself listed in the Open Security dataloss database.

See the recent research, “What Color Is Your Information Risk — Today?” at

The two-minute benchmark test
Too busy to read research? Take two-minutes to find out how well prepared you are by benchmarking and comparing your practices against others in your industry, your peers, and the best performing organizations.

The Assessments@ITPolicyCompliance for managing information controls compares your practices to manage information against the real-World choices and practices of more than 3,800 other organizations.

Visit: – Today!

Find the answers to how your practices for managing information controls compare with:
• your industry
• your peers, and
• best performers

Practices covered by this assessment include:
• Segregating different kinds of IT systems
• Classifying information
• Identifying the locations of sensitive information
• Segregating access to sensitive information
• Prevention and detection
• Protecting sensitive information
• Detecting the leakage of sensitive information

Visit: – Today!

Specific to your industry and size of your organization, all of the confidential and free assessments deliver immediate feedback on how well, or poorly, you are managing business value and risk related to the use of IT compared to others in your industry, your peers and the best performing organizations. More importantly, the two-minute assessments quickly identify how you compare with others and practices that will improve outcomes.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions: IT is no exception.

Improve your outcomes, visit Assessments@ITPolicyCompliance today.

Who’s Spying on You, and What They Know

December 20, 2010 by

Reports last week that Microsoft intends to put a “do not track” button in its forthcoming release of Internet Explorer browser joins a long-line of add-ons for numerous web-browsers that would — in theory — put users in charge of whether they are targets for on-line advertising. See “Add do not track to Firefox, IE, Google Chrome by Dennis O’Reilly at CNET

But, recent research reveals these “do-not-track” efforts may be useless.

Tracking of User Web browsers
A review of the past and present reveals the following practices to track and identify users and their web-browsers:

Old school: Cookies
A tried-and-true method and still used today. For an introduction to cookies, see: Its author was trying to solve the “shopping-cart” problem and never intended his invention to be used for tracking purposes. It was not until years after his invention when he found advertising being served up to him based on his searches, that he realized his “shopping-cart” solution had been subverted for private-gain. Cookies combined with IP addresses and 3rd party analytics are now the most common method employed to serve-up advertising based on web-surfing behavior.

“So what” you say? Read on…

Contemporary school: LSO Super-cookies
A more contemporary approach uses Flash-based LSO super-cookies (or Silverlight cookies), that are combined with 3rd party analytics to serve-up advertising based on web-surfing behavior.

No one ever tells users this is happening, and the practice continues unabated because people are visual creatures, unaware their use of the Internet is leading to more personal data being collected about them. If you want to change what’s done on your PC or laptop with Flash stored objects, you have to visit but doing this does not block LSO cookies and the tracking that occurs as a result.

Users of Firefox can add plug-ins that will detect and delete these. Such plug-ins as Better Privacy, Ghostery, Request Policy, TorButton and Noscripts among others provide tools for those that do not want to be tracked. And, plug-ins for Firefox can be used to prevent Java script from hi-jacking a lot of personally identifable data.

“So what” you say? Read on….

You are Now being Fingerprinted
The new school of tracking actually fingerprints your web browser, with or without cookies, and without your knowledge or consent. When combined with the ubiquitous ability to geo-track and more importantly grab your unique IP address (unless you spoof this), the reality is that even without cookies the trackers can continue to harvest data about users for advertisers and their supporting search-engine, device, App and network-service enablers. You don’t believe this?….

Test the fingerprint of your browser
See how unique your own web browser’s fingerprint is, visit Panoptoclick at:

It doesn’t matter whether you use in-private browsing or not: you and your IP address are now being uniquely fingerprinted. The research paper from the Electronic Frontier Foundation available on the Panoptoclick site ( reveals that browsers are overwhelmingly trackable and that policymakers should consider treating web-browser fingerprints as personally identifiable data.

The Europeans may be inclined to do this, but watch-out if you are not a citizen of a Euro-country.

Some good uses of fingerprinting browsers:
Good uses of the approach include applications being used in financial services and by goods and service providers as another check to ensure against fraud. One of many such providers of the technology is technology is 41st Parameter.
See more at

Focused on financial services, the company also delivers products and services for eCommerce, Travel, DRM and Social networking applications.

Beware Traffic Analysis
Although 41st Parameters stated applications of its technology are focused on uses that many people will applaud, there is no reason the same technology from another company with a very different business model, or a hacker for that matter, cannot be used with the last item on the list — social networking applications — that should scare everyone from consumers to CEOs of the largest companies because of the ability to easily conduct traffic analysis, a technique that yields useful information about searches and sites being used by a targeted group. For an introduction to traffic analysis and a few of its applications, see

Fingerprint on the Web: meet Social media!
Social media meets fingerprinting
See more:

Personal details stored by users on social media sites such as facebook, linkedin or any number of other Internet social media sites (see for a more complete list of social media networks) can easily be used to link your personal information with old-fashioned cookies, LSO cookies, fingerprints, IP address and other information being collected.

Instead of a government overtly conducting spying on its citizens, the primary harvesting-engine of personal preferences and interests in the West is coming from the private-sector.

“So what”, you say? Read on…

Mobile smartphones
The Wall Street Journal reported the findings of its investigation on the personal-information data-collection and data-sharing practices that are employed for Mobile smartphones in its article “Your Apps Are Watching You” printed on December 18, 2010.
See more:

In their findings, the authors found the following: that personal details are routinely being collected and shared, including among others, age, gender, location and the ID of the smartphone. Of course, this is a great-practice for financial gain from the sale of advertising, but the data being collected can be used for purposes beyond advertising. And, if there is a buck to be made from the sale of personally identifiable data, you can be assured these activities are already underway. An interactive database of the Journal’s results can also be found at

Who’s got your back?
What protections can you take if you are a consumer or a business? What protections can your company employ to limit what your competitors can learn about your strategic plans, customer visits, merger and acuisition plans, or strategic partners by using traffic analysis? What about traditionally more secretive national defense or homeland security initiatives?

While the ethics of modern Internet advertising are debatable (service providers who double-dip by charging consumers for a service and then selling data for a profit that is then used to target prospective customers), the real-worry is how the information being collected can be used for traffic analysis and targeting purposes, in the public and private-sector alike. Traffic analysis knows no boundaries!

In retrospect, the “do-not-track” missive of a week or so ago appears sophomoric at best, and misleading at worst!

You tell us: is this too paranoid, or are we already in an era that is beyond privacy-that-can be legislated, where the practices on the Web already outstrip boundaries of national law and regulation, without any possible solution other than more defensive technical traps and arsenals – if there are any?

When it WikiLeaks, it pours!

December 13, 2010 by

Openleaks ( (see Reuters says it plans to be up-and-running in 2011, is already “drowning in applications”, and promises to stay neutral when it comes to politics.

This comes on the heels of WikiLeaks events of the past two weeks that have seen Julian Assange indicted on sex-related charges, the U.S. Department of Justice authorizing significant actions related to criminal charges and the abandonment of business as usual among organizations and people identified in the ‘leaks’.

I’m glad to see some journalistic credibility and redaction-to-protect-people: but are you glad about this turn-of-events?

Whether you agree or disagree with the widespread availability of sensitive information, the unfolding of these events is witness to some sad realities, including:

Less than 1-in-10 organizations knows whether sensitive information has flown the coop

The other 9-in-10 don’t find out until it’s much too late

Less than half of all organizations even classify information

Only 4-in-10 organizations take precautions to cryptographically protect sensitive information

To understand the extent of the problem, see:

What Color Is Your Information Risk

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments @ IT Policy Compliance

Army’s of lawyers, lawsuits and criminal charges are not going to put the information-leaking Genies back into the proverbial bottle, whether the leakers focus on governments, large businesses, celebrities or other inviting targets.

Joined by BrusselsLeaks, IndoLeaks, BalkanLeaks (see Forbes a coming-of-age of leaked confidential information is More-leaks as newbie info-leakers vie for attention, power, control, advocacy-position, fraud, ransoms and other aims.

If organizations want to come to grips with the coming down-side era of the Internet, it will be time to do what should have been done all along: clean-up-your own house!

This starts with coming to grips with the extent of poor practices, including pretending the risks do not exist or shooing the risks away, lax or non-existent policies, non-existent or poorly understood procedures, non-existent controls and underfunded practices.

Law has never stopped the flow of information … cleaning up one’s own house is much less expensive and more likely to avoid embarrassing consequences and worse.

%d bloggers like this: