State of Security January 2017

Hoping to catch questions for DeVos, the billionaire nominee from my home state of Michigan for Education Secretary, who has no experience as an educator, I forget about Trump’s much anticipated news conference until I turn on the TV.  There he is, in the middle of some histrionics with CNN, refusing them the chance to ask a question because they are fake news.

“Don’t be rude!  Don’t be rude! Don’t be rude!”  Ferret faced, he yells down from his podium at a reporter who’s only trying to do his job.

Like many, I give a sigh of relief to finally hear him say Russia may have hacked information disclosed in the election.  But I may be the only person in the world who listens carefully to his generalized comments about hacking.  “And they tried to hack the Republican National Committee and they were unable to break through.”

Wait!  No!  That’s not what the FBI…  Don’t let him distract you.

I listen to him talk about how this is a problem, hacking, cybersecurity.  I think of past speeches where he’s blamed the current administration.  Past speeches where he said nobody really understands computers, what they are doing.

I work hard to follow his thoughts as he wanders off into a strange soliloquy.  He mentions “22 million names and everything else that was hacked recently… something that was extraordinary. That was probably China.”

I think how huge disclosures of people’s personal information have been happening, not recently, but for decades.  They are no longer extraordinary.

He comes back to how he’s going to fix this.  “And one of the things we’re gonna do, we have some of the greatest computer minds anywhere in the world that we’ve assembled. You saw just a sample of it two weeks ago up here where we had the six top people in the world … And we’re gonna put those minds together and we’re going to form a defense.”  All said with a face of great sincerity.

I think how those great minds earned vast fortunes – holdings larger than some small countries – selling vulnerable software, systems and devices that organizations and armies of security people, are powerless to secure.

I think how many breaches are caused by a built-in reliance on human beings to know the unknowable: what websites are safe to look at, what e-mail attachments can be safely opened, who really sent the e-mail that looks like it came from Aunt Sue?

I wonder how he thinks, especially with his promise to wipe out regulation, this can be so easily solved.

I think lots of luck Mr. Soon-to-be-President and I turn off the TV.

I’m at my desk when the phone rings.  I screen my calls, so I check the readout.  Big Insurance Company it says.  My health insurance company!  I’m not expecting a call.  Did I miss a payment?  I take the call. “This is Big Insurance Company.”  A pleasant woman’s computerized voice says. “We would like to speak to Esther Czekalski.  If you are Esther Czekalski, please press one.  If you are not, please press two.”

I do not give out my name to a caller unless I know who they are and caller IDs can be spoofed so I press the off button to hang up the call.  Pulling up my recent payment details, I call the customer support number on the bill.

After six menus, providing lots and lots more personal information – I did call the number on my monthly bill – and two sales pitches, I finally talk to a representative.  Nothing is said about a late payment.

“I got this computerized call that says it was from you and the first thing it asked me to do is provide personal information. I never, ever do that.  Are you trying to contact me for some reason?”

“Can you see the number who called you?”

“Well, yes, my phone shows me that information but I can’t look while I’m talking to you.”

She puts me on hold and then comes back to explain that Fastscripts, one of their third party partners is making calls to sell mail order prescriptions.  I hate sales calls and tell her so.  They are technically legal from my insurance company, with whom I have a business relationship, but not customer friendly.  My opinion.  She is kind and understanding, says I’m not the only customer she’s heard from today about this, and gives me the number that should have shown for the call. I say, “I’ll call you back if it doesn’t match.”

Formalities completed, she’s very polite, well trained to make sure that she’s dealt with my issue, so after we do some verbal bowing and hand-shaking, I hang up and check the number.  It doesn’t match.

I call back again.  Another trip through the menu system, another representative who has to research the issue again, she assures me it’s the Fastscripts campaign. I explain again that I was given the number and it didn’t match.  She gives me the number again, the one that should have been displayed.  “Yes, that’s the one I was given on the first call.” Again, I give her the number that shows on my phone.  It clearly doesn’t match.  She politely apologizes for taking my time, especially since I’ve had to call more than once and assures me that this was an authorized call.  She says she just wants me to feel safe.

We are speaking in slow motion now.

“But. It. Is. Not. The. Number. You. Told. Me. It. Would. Be.” I wonder if I seem as dotty as they treat me.

I explain that this is what I do for a living and if I worked for them, I would check the number that was calling me; the number I’d given them, the number that didn’t match.  Other customers might want to verify it, too.  “Use your contacts at Fastscripts, find out if this is one of theirs.  I know it’s unlikely, but someone might be using your name to collect personal information from your customers.”

“Do you have a security person I can talk to?”  I know they must, by law.

Anne comes on the line, says she’s helping me now.  We go through the issue again and she says she’ll investigate and call me back.  An hour later she does.

With a smile in her voice she explains that this wasn’t Fastscripts after all.  This was another third party partner of theirs.  This third party partner is doing a survey of their Medicare patients to see if Big Insurance Company is providing the right services, I’d be asked things like whether I was afraid of falling, for example.

“So if I’d provided my name, I would have been asked for more personal information?  About how I feel?  My health status?  And you’re doing this without advance notice, without any way for me to verify who I’m talking to other than believe a voice on the phone?”  I’m speaking loudly now.

“I understand your concern and I’ve already raised it to management.”  She says.

“Well, tell them again and tell them I said it louder!”  I can’t stop now and I’m probably yelling.  “Just give me two seconds more to speak my mind.  Legitimate companies do things like this.  Then we wonder why someone would give their private, personal information to a complete stranger?

There, I’ve had my say.  If she is their security person, she probably even agrees.  Sadly, it’s unlikely that one security professional and one dotty customer will slow down Big Insurance Company’s quest for higher sales.  More formalities, she never loses the smile in her voice, and I’m done on the phone.

I say again.  Lots of luck Mr. Soon-to-be-President, lots of luck.

Since it was necessary to truncate multiple encounters with my insurance company to make this readable, I’ve changed names.  So this should be considered as a work of fiction.  A work of fiction where the author is trying to depict events as accurately as possible.

Women in Security

Whenever I attend an information security association meeting or event, I estimate the number of women in the room, compared to men.  Rarely are women more than ten percent of the participants.

I know that extrapolating from my own experience is not statistically sound but many of the women I’ve tried to mentor had to move on to other kinds of jobs because that’s what they could get.  I don’t blame them.  But then I hear how there are so many information security jobs begging to be filled and it doesn’t make sense.

This has been true for a generation as far as I can tell.  What makes me speak of it today is a recent study, reported here by Tracy Lien in the LA Times.

Women in tech still earn far less than men, study finds 

“Significant gaps also existed in tech jobs such as video game artists (15.8%), information security specialists (14.7%) and front-end engineers (9.7%).”  (I added the emphasis.)

Tracy goes on to quote Andrew Chamberlain, chief economist at Glassdoor, “My view is that in heavily male-dominated fields, the people who are making the decisions about pay and promotion are disproportionately men, and that can play a role in why we’re seeing gaps in male and female pay,”

These same people make hiring decisions.

I’m just saying…