Infosec Needs to Avoid Repeating Past Patterns of Error

Opinion: Information must be safeguarded, one way or another.

If you look at the shape of a mountain range, its often difficult to tell whether the image spans just a few hundred feet or hundreds of miles. Any section of the shape has the same sorts of wiggles as the larger context from which it came. This is called "self-similarity," and I felt as if I were experiencing the same phenomenon while preparing my charts for a recent talk on information security.

I gave the speech this month as the opening keynote at a conference hosted by the Boise, Idaho, chapter of the Information Systems Security Association. The first seven charts looked at significant events since my keynote at the same conference last year; the eighth chart delivered the punch line that all the events I had just described had actually been reported during the 6-hour window immediately before I prepared my presentation slides, only two days before I spoke.

What sounded like a summary of the prior year was actually just a close-up of a slice of a single day.

That 6-hour scan of the information security horizon managed to take in a wide range of landmarks. It included a discussion, for example, of the U.S. Armys failure to realize that a blacked-out passage in an Adobe Acrobat document could be revealed with a simple copy and paste. All that one needed to do was transfer a supposedly redacted passage into another, less sophisticated documentation tool that didnt know about fancy attributes—and merely showed the unadorned text.

As I noted during my talk in Boise, this is the same kind of wiggle of accidental disclosure that has stretched across the past several years. Its the same shape, for example, as the discovery years ago that passages "deleted" from a Microsoft Word document are still present in the file if the "fast save" option was enabled during editing. Those passages can be seen easily by opening the file in a tool such as Notepad that doesnt know whats not supposed to be shown to the user.

At some point, were supposed to stop assuming that our enemies will play by our rules.

Another event reported in the hours just before I prepared my Boise keynote speech was ChoicePoints designation of its first chief credentialing, compliance and privacy officer. This was especially noteworthy because the letters of apology that ChoicePoint sent out in February, advising people that their personal data might have been disclosed to criminals, were signed above the job title "Chief Privacy Officer"—but the signature was that of the companys general counsel, who apparently had never used the CPO title on any earlier occasion and who didnt hold on to it for long. It looks very much as if the function of CPO was never considered important until the lack of such an office became embarrassing.

/zimages/7/28571.gifTo read more about the fallout from the ChoicePoint disclosure, click here.

This suggested to me another fractal self-similarity: Year after year, information security promises are phrased in terms that suggest due diligence while actually assuring nothing. Ive previously noted, for example, that the California law that mandates disclosure of data leaks is waived if the compromised data was "encrypted"—with no further statutory threshold to distinguish competent encryption from trivial measures, such as an easily cracked encipherment that uses a password of "password."

Whether were talking about encryption that merely serves as a checkoff item instead of giving actual protection or about a CPO whose main job is to protect the company from lawsuits rather than protecting customer data from attack, this kind of misuse of language to abuse peoples ignorance and trust must stop.

ChoicePoints February mea culpa letter was sent, initially, to only California residents because only California law required such action. Thats soon likely to change. In response to the ChoicePoint incident, at least 26 states are considering mandates for disclosure of data breach. If people with data in their care dont clean up their act, theyll find themselves in a costly environment of state-by-state regulation.

Thats another kind of fractal complexity that no one really wants or needs. Lets stop making self-similar mistakes and make my next information security speech a lot harder to write.

Technology Editor Peter Coffee can be reached at

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

To read more Peter Coffee, subscribe to eWEEK magazine.