How to Address Government Data Security

Late last week I attended a federal data security event sponsored by Neustar. What impressed me about this event was the frank admission that sensitive data will be lost – the only issue is how to minimize the vulnerabilities and mitigate the inevitable losses.

It was an intimate event with just two speakers. William Crowell is the former Deputy Director of the NSA, and Rodney Joffe is SVP and Senior Technologist for Neustar. Both highlighted vulnerabilities, suggested some best steps and in Joffe’s case, proposed a fundamentally new way to view online security.

Crowell is now a security consultant, and mentioned he was part of the team at NSA that worked way back when on decrypting the Venona cables. (As a former PoliSci major, I found that pretty cool.) He told the group that if government supervisors took data security as seriously as they do physical security there would be fewer breaches.

According to Crowell, intelligence has never won a war, but intelligence allows soldiers to win wars. He identified the combination of social engineering and fast advancing technological capabilities as a “unholy alliance” that is behind fully half of all advanced, persistent online attacks directed against the U.S. government.

He outlined the following steps to fight back:

• Stop talking about ID management, and start doing — there is currently no system deployed within the U.S. government with cryptographic capabilities
• We need gateways and firewalls that can handle hundreds of distinct rules per packet — current tools can handle about 25
• Develop anomaly models for online behavior — just like we have in the physical world
• FISMA — refocus on real-time security, these requirements have become a static checklist
• Education of users — very often overlooked
• Move to the cloud — government needs to stop arguing about the benefits, which are manifest, and focus on securing

Joffe opened his address by stating that the current tools for data security aren’t enough. As an example of the level of threats today, he pointed to the take down that day of a two million strong botnet by the DoJ and the FBI. He told the audience that he’s learned a lot by “being a target since 2002,” through his founding of the leading managed DNS provider UltraDNS (purchased by Neustar in 2006).

Joffe preaches mitigation, since 100 percent prevention is an illusion. He encouraged the audience to engage in a premortem when considering data security. This approach assumes failure, then looks for evidence that can lead back to specific areas of weakness. It’s a fundamentally different way to visualize security — here’s a Harvard Business Review article with more detail on the premortem methodology.

I’ve known Rodney for many years, and he’s very good at explaining technology with analogies. In describing why planning for failure in data protection is necessary and not at all defeatist, he used the example of the modern conference room where we all were sitting. The building employed the latest in safety construction, right down to fire retardant materials in the furniture. Yet there was still a sprinkler system overhead.

Why, he asked the audience? Because fires still happen, despite taking all the proper steps to prevent them. It’s the same with data security.

Here’s Rodney’s to-do list for feds looking to protect their data:

• Continue with all the current best practices and the layered approach to security — firewalls, the latest anti-virus programs, IDS/IPS
• Deploy failure sensors and plan for losses — this is where existing solutions fall down
• Work backwards from failures by examining the artifacts breaches leave behind -- Joffe said he will have more to say publicly on how this can done in a few weeks

In today’s online threat climate, focusing only on perimeter defense is like the French relying on the Maginot Line in 1940. I’m looking forward to seeing how the federal market reacts to this new way of conceptualizing data security.

Media Layoffs Kill Quality, Not Just Jobs

This past Friday a story ran that reminded me how massive media layoffs have affected the quality of news coverage. It doesn’t matter sometimes how good the reporter is — he or she is stretched so thin that stories get printed that wouldn’t have just a few years ago.

Background – On Friday USA Today published an interview with Ben Petro, a senior executive at VeriSign. The ostensible focus was the “launch” of a Managed DNS service by VeriSign. A reader without any knowledge of the space would have read the article by Byron Acohido and come away thinking VeriSign just launched something new, in response to the market leader Neustar/UltraDNS (disclosure — my client) being hit with multiple Distributed Denial of Service (DDoS) attacks.

Here’s what the reader was not told in the article:

• VeriSign has offered managed DNS for about nine years now — here’s a link to a ComputerWorld story announcing the launch — back in 2001!
• The DDoS attacks referenced were massive and broad, not targeted just at UltraDNS, and were mitigated within an hour
• Ben Petro is the former CEO of UltraDNS, and now is working for a competitor — kinda relevant for readers to know, I would think

In the business this is known as a single source story, and shouldn’t happen in a publication like USA Today. Or from a writer like Acohido — he’s been covering tech for a decade, and won a Pulitzer prize in the late 90′s for crying out loud. We’re not talking about an English major two years out of college — here’s his bio.

So how did it happen? Obviously there is no way to know for sure.  I know Petro from his days at UltraDNS. He’s passionate and can come off as very believable. But a little fact checking, more disclosure and contacting Neustar for a response were clearly required before the publish button was pushed on this article.

I reached out to a few reporters I’ve dealt with for years and trust for their take. After all, I’m hardly unbiased here — Neustar is a client after all. Each one of them told me they are under incredible pressure to publish more copy in less time than ever before. And they’re covering more beats than ever before, due to cutbacks in staff. They simply don’t have the time and resources to get both sides of a story — and even more troubling, their publications aren’t sure the market still exists for well researched pieces.

This is one reason Strategic increasingly counsels clients to focus on social media tactics. By doing so your message is not at the mercy of a media industry that often can’t invest the reporting resources required, due to a business model that hasn’t adapted to the Internet age. USA Today has been hit particularly hard — here’s a story about layoffs and unpaid furloughs earlier this year.

To my readers who work in communications, how have you dealt with this trend? Has this happened to you lately?

UPDATE, 8/19 — Nancy Blair, technology editor for USA Today, responded to me via email regarding this post. Unfortunately, no concessions on factual inaccuracies or omissions in the story. But nice to to get a response. Pasted in its entirety below:

Chris: We always appreciate direct feedback from our readers and colleagues. It’s for this reason that we have our Standard editor Brent Jones featured every day in our editorial page and online here: http://www.usatoday.com/news/opinion/USA-TODAY-commitment-to-accuracy.htm.

Upon receipt of your email and review of your blog post, we again contacted VeriSign, which again confirmed it has not had a commercially available Managed DNS offering for many years. Also, your client Carla Safigan of Neustar did reach out to Byron and her comment was included in our Technology Live blog post of Friday, August 13th. We at USA Today stand by the blog post written by Byron Acohido.

I hope this response addresses some of your questions and concerns.

Nancy Blair, Technology Editor/USA TODAY

I thanked her for the email, and said I stand by my blog post.

UPDATE 8/27 — This seems relevant — news of further USA Today cutbacks announced today.

Take the Time to Talk — It’s Good for the Bottom Line

Managing social media campaigns at Strategic, I’m struck by how many times clients don’t prioritize conversations that come up as a result of their social media outreach. After all, it is called “social” media for a reason. If you’re producing quality content and presenting it in the appropriate online communities, conversation will ensue.

Yet account teams often have to chase clients to respond to interesting comments or suggestions online. Part of that may be finding the right internal subject matter expert (SME) to respond to the comment. But another part of it I think is the inability to quantify where the conversation will go.

There is an element of serendipity in social media that bothers some clients. Blog traffic, downloads, sales leads — these can be precisely monitored. You can’t guarantee where a conversation may lead, exactly what it will result in. But they often do result in very quantifiable benefits for the business – I see this happen all the time.

My client Neustar made a major announcement in June related to Internet security — read all about it here on CircleID. We posted the news to the DNS and DHCP Group on LinkedIn, and got into a conversation with a System Engineering Manager at Colt Telecom, out of the UK. This conversation grew into a qualified lead and may result in a major new customer win.

For BroadSoft, the conversation started in the Telecom Executive Business Network on LinkedIn, where a IEEE committee member became well acquainted with the types of VoIP powered applications BroadSoft provides to over 450 carriers around the world. For BroadSoft, this conversation is leading to a very thorough understanding of IEEE standards, making it easier to integrate their VoIP application server into carrier networks.

BT’s CSR Perspective blog was designed specifically to deepen the understanding of the CSR goals of BT’s largest clients, as well as share information with a broader audience. The audience and influence of the blog has grown to the point that Xerox asked to contribute a guest post. When you’re working this closely with clients, guess how strong the relationship remains?

When Mike Zaramba took over as president two years ago at Altron, he turned to Strategic to help launch an executive blog designed for external influencers. But he found as he traveled to various company locations that  employees were also actively following his blog posts. His knowledge of the industry, and comfort with new communication channels were putting people at ease about the new president. So quite by accident, the blog became an effective internal communications channel.

For those reasons and more, my client counsel is always to get involved in the online conversations you initiate. It’s only good manners, and good business.

Making DNS More Secure — One ISP at a Time

Last July I wrote about a serious security flaw in the domain name system (DNS). It was discovered by researcher Dan Kaminsky and got a lot of coverage: It’s Tuesday — Must be Time to Fix DNS

There was two parts to the DNS vulnerability that quickly became known as the Kaminsky flaw. One was related to poor port number randomization, making it easier for criminal elements to hijack DNS queries and redirect them to fraudulent sites. That problem could be addressed with a software patch, and most of the coverage last year focused on the concerted efforts made by companies like Microsoft, Sun, Cisco and many others to distribute the patches.

But there was another part to the flaw that could not be patched, since it was fundamental to the DNS protocol itself. Internet consumers are still at risk of being redirected through something called cache poisoning, which fools a DNS server into thinking a fraudulent site is authentic. Until recently there was little public acknowledgement of this happening, because most companies are loathe to discuss security breaches.

But in April there was a major breach of a Brazilian IPS Virtua and one of its big customers, the Brazilian back Bradesco. Here’s coverage of the incident from the The Register.

Last week my client NeuStar announced Cache Defender, a way for ISPs to protect their customers from this fundamental Internet vulnerability. ISPs can deploy this solution to create a secure DNS link between their customers and the domains NeuStar is authoritative for, including some of the largest Internet brands such as Amazon, Advertising.com, Oracle and Zappos. Cache Defender is designed to be an interim solution until DNSSEC, a more secure version of DNS can be implemented by the global Internet community.

Here’s some coverage of the announcement:

Network World

Telephony

Venture Beat

CIO

Dark Reading

I’ve worked on DNS issues previously in my career, so this news was very exciting and fun to promote. If you’d like to know more, check out a discussion going on over at CircleID, a top online forum for Internet infrastructure discussions. Not surprisingly, some negative comments about Cache Defender are coming from NeuStar competitors. But the company already has one announced ISP deployment, with more in the works.

DNSSEC is no doubt the definitive answer, but probably won’t be widely deployed until 2011 for a number of technical and political reasons. Until then, Cache Defender is an excellent way for ISPs to show they are doing all they can to protect their customers.