Site Review – Scribd

Scribd isn’t as well known as many other sites, but what it does, it does quite well. Simply put, it’s a way to share documents via the web. The documents can be in various formats, and the site automatically converts them for you. Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats. It’s a nice and easy way to share documents.

Pros:

Easy to use
Free
Shifts the bandwidth for hosting large files to someone else

Cons:

Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
It’s weak on the social networking
Only two levels of document security: “public” and “private”
Search doesn’t allow you to search by licensing

The same caveats about security apply to this site as others. In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do. So, be careful building a business model around this site.

However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity. Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here. In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.

Malware

The way that Scribd works, you upload a document and they automatically convert it into other formats. It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk. You can avoid that one pretty easily by just viewing the document in the built-in viewer.

Trusting Information

This one is a risk pretty much all over the Internet, but it can be a bit trickier here. For those in the security field, consider this as a variant of cross site scripting. For those who don’t know what I’m talking about, just bear with me.

See, it’s very easy to make an account. You pick your name, you build your profile, you upload your docs. It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them. Then, they’d pull down the latest SEC documents and press releases and upload them to the site. Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price. Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).

With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response). It would be important to verify any information before acting, especially if it’s marked as “urgent”. The Internet allows us to share vast amounts of data very quickly. This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.

Conclusion

I use Scribd, albeit not a lot. I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much. If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool. Get an account, become familiar with the system so you can recognize when it is used outside of the main site.

As always, view all emotionally charged content as suspect and verify it before you act.

Small Business Defense – Antimalware

As many have noted before me, antivirus is dead. However, let’s clarify a few things.

First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless. Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one. However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake. Antivirus may not be dead, but your system will be.

See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware. This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature. So, these things can change and morph faster than you can keep up. However, you’ve got to do something, right? What are your options?

Ignore The Problem

My mother used to tell me that if I ignored the mean kids, they’d stop teasing me. She was wrong. In the same way, ignoring this problem will not make it go away. Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners. I hope that we can agree that this is no solution.

Host-Based Intrusion Prevention

Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products. These systems shift the problem from scanning the entire system to looking at what actually runs. These systems can detect common security flaws and prevent malware from accessing them. With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.

Perimeter Control

In the past, we’ve used a firewall to prevent access to internal systems. Some people are trying to extend this idea and pushing extra capabilities onto these network devices. The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network. It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.

Application Whitelisting

As many people do, once they’re told that something’s not working, they go to the opposite extreme. In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run. While I’m not a fan of extremism, it seems to be working in this case. Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others. The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want. Also note that, depending on your organization, it might take a long time to define the “good” applications.

Loss Detection

One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do. If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem. Small comfort, I know, but it’s better than not knowing, right?

Combination

Every organization will have a different set of needs and will need a different solution. However, there are a large number of businesses out there that would likely benefit from the following type of solution:

Application Identification – Take the time to identify which applications are required for business.
System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.

There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.

Small Business Attack – Malware

It’s interesting how business awareness lags actual security threats. I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”. This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.

This is our fault. For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities. If you’ve touched any IT in the last decade, you’ll recognize the following list of words: virus, worm, trojan, spyware, adware, malware. You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life. Well, I’m sorry to break it to you, but you’ve been lied to.

We’re at the end of what antivirus can do. We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.

Back in the day, malware would spread from system to system and slow things down. Sometimes, they’d delete files. That was then.

Today, people are using these systems to create what are known as bot armies. Once they take over your computer and add it to their armies, they can do anything they like to your computer. Like what?

Conduct attacks on other networks
Store illegal materials (often child pornography) on your computer
Crack passwords
Banking data
Harvest all proprietary data (trade secrets, tax information, business plans, source code) from your network
Harvest client data (credit card numbers, social security numbers) from your network

Basically, if you get infected with malware, the attackers can get anything they want from you. Any file you have, any site you browse to, any email you send or receive. It’s all theirs.

It’s more than a nuisance. What are you doing about it?

Security lessons from Nature – Fire ants and lizard evolution

Borneo is a fascinating place. It is a land of edible birds nests, dragon’s blood and gold. Oh yeah, and don’t forget the parachuting cats (pages 29 and 31 are best, or, if you prefer, there’s a boring version.) But as much fun as the cat story is, I’d like to talk about ants instead. Ants, lizards, and the economy.

The news about the US economy isn’t all that good… depending on what “good” means. I personally have my doubts as to whether ever-increasing growth is a good thing. When that happens in a population like Borneo, we call it an epidemic (malaria) or an infestation (rats). When it happens in a person, we call it cancer. When it happens in the stock market, we call it “business as usual”. Methinks that there’s a misunderstanding somewhere, but I’ll let the economists handle that.

As I look at the news over the Internet and I hear from my friends, I’m seeing companies failing and people being laid off/let go/fired. Whatever terms you want to use, it’s pretty awful for people whose jobs are on the line, as they are in a position where they don’t have control over their own lives (much as if they were fighting malaria or cancer, actually). It is not surprising that the phrase “job security” would be bandied about right about now. For years I’ve been told “there’s no such thing as job security” and that I should “work to put myself out of work”. This doesn’t make much sense on the face of it, but when you get down to it, it’s all about control. In a lot of businesses, the bosses are in control and the employees do what they’re told. In others, the bosses and the employees work together to build something better. The former model is hierarchical and the latter model is cooperative.

Which brings me directly to ants and lizards.

See, in an ant society, you have very strict roles. The queen’s job is to lay eggs. The drones’ job is to mate with the queen, which sounds like a nice job, but they then have to die (always read your employment contract). Then you have the workers which, well, work. Then, some species will also produce soldiers who protect the nest. The model works well, and the ants are able to build very complex structures and societies within it, but the queen has all the control.

Lizards, in contrast, just sorta hatch and spend the rest of their lives eating things and laying about on rocks. Each lizard has their own autonomy and is in control of their respective lives. No one talks much about lizard edifices. Outside of science fiction and Minnesota, no one talks much about lizard societies.

But you know, they should… because the lizards are winning.

Recent developments on the fire ants vs lizards front has led to lizards evolving longer legs and faster speed. In contrast, the ants on Borneo are blowing themselves up. As with much in live, it all comes back to Borneo.

See, in Borneo, the ants are required to be suicide bombers because each suicide also takes out one invader. Taken as a whole, allowing harm to come to a few workers here and there keeps the colony safe and stable. Seems a bit like laying people off to keep the company afloat, doesn’t it? In contrast, the lizards who have learned to run away from threatening ants have survived and become successful enough for them to produce children that are even faster. They can escape the ants. They might even be able to escape parachuting cats (short version here if you skipped the earlier links).

It seems that, unless you’re independently wealthy, you have a choice to make. You can be an ant and lay your job on the chopping block to help out your company, or you can be a lizard and scurry from project to project, moving so fast that the other ants can’t keep up. Your company may or may not survive, but if you’re fast enough and good enough, you’ll likely land on your feet (like a parachuting cat, actually).

Security is an active pursuit. Your IT systems won’t stay secure if you just lock things down and then ignore them. Your job won’t stay secure if you sit around and hope for things to get better. Your business won’t stay secure if you wait for an outsider to fly over your island and drop cats on you.

Now is the perfect time to be a long-legged lizard.

Mythic Monday – Immortality

Stories about immortality and the quest for it abound in literature. You have kings trying to live on through their sons. You have gods that must ritually die and be reborn so that the cycle of nature can continue. And you have, in a few stories, the few humans that succeed in their quests.

Consider, for example, the Cumaean Sibyl who bartered her virginity to Apollo in exchange for everlasting life (not technically, but despite appearances, this isn’t a mythology blog). However, she made a bit of an error when she forgot to also ask for everlasting youth, so she kept getting older and older until she eventually faded to nothing but a voice kept in a jar.

This is very similar to the story of Tithonos, who was granted immortality by Eos (via Zeus) but she also forgot to ask for everlasing youth, so he aged past senility and was locked away where he babbled to himself in an empty room.

(Stories from Metamorphoses 14 and the Homeric Hymn to Aphrodite).

What lesson is there here? Clearly, there’s something for us all to learn about operating system virtualization.

Yeah, you heard me right. Ovid and Homer^* were clearly writing about the modern practice of virtualization. Specifically, they were concerned about aging operating systems.

^* Whether Homer actually wrote the Homeric Hymn to Aphrodite is debatable.

See, virtualization is wonderful, and it’s all the rage right now for some excellent reasons. It allows you to fully leverage your hardware to capacity. You can aggregate virtual machines on top of real machines and have them create a robust infrastructure. If any hardware fails, all the little VMs can even skitter around like cockroaches as they find a working environment in which to live. In short, we as IT admins have the power to make these machines live forever. We are truly blessed.

But, as ancient mythology has informed us, with great power comes great responsibility (OK, so that bit is modern mythology). We have the power to grant immortality to these systems, but we have to consider how we use that power.

After all, what purpose does death serve? It allows new life to take hold. It allows unfit life to go away. From a technical perspective, this means that we have to let systems die to make room for new and more efficient systems to be built. Also, and a bigger concern, we have to let the ancient systems die before they start to make problems for us.

Imagine for a second, a network that has a mix of Windows 2003, Windows 2000, Windows NT, Windows 98, RedHat Enterprise 3, IRIX, AIX and DOS. Now, I’m sure you’re thinking “this is ridiculous, such a network doesn’t exist, no one would let that happen”. Well, this describes the network I was working on a few months ago. I’ve worked on live production networks in 2008 that used operating systems that were five to ten years old. I’ve heard tales of systems that were running Windows 3.1, as production machines, into 2009.

Now stop for a minute and think ahead twenty years. Can you imagine still supporting Windows 2000 in 2029? What about 2049? We have the ability to grant these systems immortality, people. It’s going to happen.

Sometime in 2020, you’re going to be working on the GoogleSoftwahoo TeleBlazinger running on Linux kernel 2.6.3492-23 and wondering why your network hypercloud is slow. After launching numerous tools that allow you to trace network traffic in all four dimensions (five if you can afford the enterprise license), you’ll track the problem to an infected botnet of Windows 2000 systems running a ponzi scheme involving stolen credit card numbers. You’ll try to refresh them from backup, to discover that they’ve been compromised for the last 19 years, and your backups only go back 15. And, worst of all, there’s a legacy billing system that requires these machines, so you have to keep them running… forever.

You’ll stop, scratch your head, and think that virtualizing at the operating system level was the stupidest thing that we ever did. And you know, you’d be right.

What it comes down to is how your organization is structured. If you’re building a virtual infrastructure, making brand new systems and setting hard deprecation dates for these systems, you’ll probably be OK. However, if you are like many companies, and take the perspective of “just move the physical machines to virtualization and we’ll straighten it all out later”, I’m sorry to break it to you, but later is never going to get here. There will always be another fire and another resource restriction.

We have think through new technology before we deploy it. There is a tendency to only look at the benefits and costs in terms of dollars, not in terms of time. A small gain in the present can be completely reversed and magnified by the flow of time. Just as inefficiencies add up throughout the weeks and months, security problems tend to grow over time. The longer you keep legacy systems around, the greater your risk grows.

If you grant immortality to these systems, they will just continue to age, until they will eventually be just another set of voices, hidden somewhere in the back of your network, babbling at your IDS systems pleading to be allowed to die.

Site Review – Flickr

For those that don’t know, you know, those of you have been under a rock for the last few years, Flickr is a photo sharing site. It has numerous social media features which make it very easy to post your content, add it to groups, discuss it with others, etc. It supports all types of cameras as well as files from applications like PhotoShop and PaintShop Pro. They recently added the ability to share movies.

In short, it’s great. I use it all the time.

But, like all systems, especially in the fancy 2.0 world, there is a risk assessment that you should consider.

Pros:

Easy to use
Free to low cost
Active community with which to interact

Cons:

Who owns your content?
How can you use other’s content?
How can others use your content?
How is your content backed up?
Are you at risk from social engineering?

Please note that copyright is a complicated thing and well outside of the scope of this blog. For real questions, please see a lawyer. However, I’ll be glad to answer my own fake questions, after all, it’s my blog, right?

Who owns your content?

Well, you do, of course. You made it, it’s yours. Yahoo even agrees. Oh, wait a minute. The Terms of Service state:

Yahoo! Inc. (“Yahoo!”) welcomes you. Yahoo! provides the Yahoo! Services (defined below) to you subject to the following Terms of Service (“TOS”), which may be updated by us from time to time without notice to you.

So maybe it would be more accurate to state that “you own your content right now”. Not exactly ringing with assurance, but it’s the best we can do.

How can you use other’s content?

Oh, this one is easy! Each photo is marked as “All rights reserved” (meaning you can’t use it) or “Some rights reserved” (meaning, umm, maybe). Flickr uses the Creative Commons to allow people to license their photos as they wish. Luckily, they also provide an advanced search so you can find photos that you can use and alter for commercial use.

Of course, there’s nothing preventing a user from posting a photo that you can re-use and then changing the licensing AFTER you’ve used it. Any idea how you could prove that it used to licensed differently? I sure don’t know.

Also, what happens if a photo is licensed so that you can use it but the person in the photo never signed a release? Is it usable? Can you be sure?

How can others use your content?

OK, this one should be easy, right? After all, you upload your photos and you set a license and you’re done. Flickr does all the magic to make sure that people only use your photos the way you want, right?

Well, not exactly. See, if you license your photo under any of the Creative Commons options, the original image is available to everyone. In other words, they have to voluntarily agree to abide by the copyright. If they don’t, you have to deal with that yourself. Are you able to monitor all the images on the Internet to make sure that yours are being used according to your wishes? I know that I’m not.

How is your content backed up?

This really isn’t known. There’s no mention of backups in the terms of service, and there has been at least one high-profile issue involving backups. In general, they should be safe, but you might want to consider other options. Or, you know, just keep a copy of whatever you upload to them.

Are you at risk from social engineering?

Finally, once that can be answered definatively. Yes. You are always at risk of social engineering. The more interesting question is “How are you at risk from social engineering?”

Flickr allows you to post photos. Odds are that these photos will be of people you know and places you’ve been. You can tag these photos by location, put people’s names into them and otherwise release loads of information for the savvy social engineer. They can take this information and use to develop friend and family graphs and identify themselves to you or one of your friends as someone who seems trustworthy, but isn’t.

Conclusion

Wow, that’s a lot of negatives. Does that mean that you shouldn’t use Flickr?

Well, that’s a decision that you have to make on your own. In case it helps you, this is the decision that I made:

I choose to use flickr because I like the community and because I want others to use my photos. With the exception of people that have not signed a release, all of my photos are tagged under the Creative Commons to allow re-use but only for non-commercial use and if I am credited. Also, since a great many of my photos are taken at zoos, I allow zoos to use my photos for free, even for commercial use, so long as they ask politely.

In short, I do not make much of a living directly off of my photos (though I’m working on some projects at the moment that may change that). Rather than expend my energies pursuing and defending misuse, I choose to trust the majority of people to do the right thing. I do, however, keep the originals on my systems and am prepared to defend my rights, should I become aware of a violation.

I do NOT use anyone else’s photos for a commercial purpose without their permission. I do not consider accent and illustritive photos in this blog to be commercial use (as I make no money off this site), so I may use someone’s photo here or there. However, I am very easy to get ahold of, and if anyone asks me to take down one of their photos, I’m easy to work with.

So yeah, it’s not exactly straightforward, but to me, it’s worth the risk.

Small Business Defense – Document Leakage

If my last post raised any questions for you, this post will hopefully answer some of them. As with many security topics, the issue is complex and this post will NOT give you all the answers. Hopefully, though, it will help.

The first thing to look at is access. In order for an attacker to get your data, they have to get on your network and somehow access the documents. The more places that you keep your documents, the easier this is for an attacker to do. If you put all your documents in a single place and prevent anyone from saving them anywhere else, you’ll be a bit better off. (Odds are you won’t be able to keep them off your network, just so you know.)

However, this will also make a nice place for an attacker to target, so you should control this storage location. At a minimum, you should control access to the document repository by username and password. If you can, it would be good to split up access levels within the repository so that the documents are grouped by type and only people with the business need to access those documents have the ability to do so.

Do not rely on the built-in password protection of the documents themselves. They can be broken. (Also, please note, running random software off the Internet is unwise. It may not work, it may do things other than what you expect, it may give an attacker the very files you are trying to protect.)

If you are somewhat technical or have a technical consultant helping you, you may want to implement an encryption mechanism to protect your documents. This is highly complex and hard to do right, but it can help more than almost anything else you can do.

Once your documents are all in one place and reasonably protected, stop and think about what to do if someone does access and misuse the document. Are all of your sensitive documents clearly marked? Are you certain that the law will protect you if they’re not? (Sometimes it doesn’t.) Would marking the documents as “sensitive”, “secret” or “proprietary” just give attackers something to search for?

Hmm, what an interesting problem.

What many companies choose to do is to classify information based on it’s security level. There are different ways to do this, but all of them start with the question “what’s the most important and/or damaging information?” Once you can group your documents by risk, you stand a chance of protecting them. Then you can write a document classification policy and start looking at tools to implement it technologically. These steps are beyond the scope of this post, but your legal and technological contacts can help you with that.

Lastly, I should mention that the easiest data to protect is data that isn’t there anymore. You might want to read Brett Trout’s post on document retention policies.

Small Business Attack – Type of Data: Office Documents

How many of you use Microsoft Office? OpenOffice.org? KOffice? AbiWord?

I’ll bet you’re all raising your hands right now, right? We’ll put’em down, you’ll want to hit scroll at some point.

What do you know about these files? Did you know that many of these files track changes? In other words, if you redact certain things or change data, that a clever attacker can open the file and revert it to what it used to be? It happens.

Do you know what kind of data is stored in these documents? financial data? Email addresses? Trade secrets? Passwords?

(The above links go to Google searches. There is no guarantee what Google may find when you search on certain things. If you access information that you shouldn’t, saying “but it was on Google” may not be a good defense. Remember rule number one of security is don’t be stupid.)

If someone wanted data from your company, where would they go to get it? Is there any one thing (say, a spreadsheet perhaps) or location (hmm, shared drive) that might be particularly tempting to an attacker?

If you get a virus or spyware infection on your computer, might the person who wrote it be able to access all the documents that you can access?

How are you protecting your files?

Security lessons from Nature – Genetic Tricks of Parasites

Let’s start this one by utterly ignoring the negative connotations of the word “parasite”. It is a perfectly valid form of life and has proven to be highly successful in nature. So, in other words, there’s nothing wrong with being a parasite… you know, if you happen to be one.

This news from from the journal Nature Genetics and is summarized here. In a nutshell, they’ve found that parasitic life forms tend to have fewer genes than non-parasitic life forms. Why is this interesting?

Well, it means that creatures that are dependent on other creatures can simply drop the bits of themselves that they don’t need. However, dropping genes is a lot easier than gaining new ones (usually). What does this mean to you?

It’s interesting to compare this to business models. While no company exists in a vacuum, different companies do have differing levels of self-sufficiency. For example, a full service IT company can do many things themselves. They may use the products of different companies, but generally speaking, they are dependent on none of them. If one branch of their business were impacted by a change in the market, they could just focus on another. This is good, but it does tend to make the company larger and less responsive.

Compare this to companies that only do one thing, but do it very very well. Let’s take a hosting company as an example. A hosting company is completely dependent on their bandwidth provider. Sure, some of them use multiple bandwidth providers, but even in this case, the business model is parasitic (upon a genus or order of businesses, rather than just one species). So, suppose that something happened to all but one of the sphenodontian businesses. Our little parasitic business would be forced to work with the one remaining business to survive.

Suddenly, the reduced resource usage that parasitism allows for doesn’t look quite so appealing.

As with many things, it’s all about risk management. You gain an advantage here, it’s often paired with a disadvantage there. So, as you look at your business and consider where to make cuts or where to focus on your core competencies, just consider one thing:

How do reductions now reduce my options later?

Mythic Monday – Orpheus

So, you all know the story of Orpheus, right?

Short form:

Orpheus was the greatest musician in the world. He had a wife named Eurydice who died. He went to the underworld, played for and charmed the Lord and Lady of Death (Hades and Persephone) into letting him bring his wife back from death. The one condition was that he not look back on his journey back to the lands of the living. Being a Greek tragedy, he looked back and saw his wife following. She then faded away, and was gone forever.

Longer (and better) versions can be found here and here. I mostly want to look at one main theme.

Trust

While, most people seem to have a general idea of what the word “trust” means, there has been considerable debate in the computer security field as to how to build it into systems. They raise questions about levels of trust, webs of trust, calculating trust, and how to handle the fact the trusted relationships can change over time. These questions can be very fine grained and particular, but you’re probably not interested in the academic nature of these discussions. Instead, let’s look at a couple examples.

Scenario 1: You partner with a large company.

Suppose you enter into a business partnership with a company that is much larger than yours. Odds are that you have to fill out a contract and commit to specific items (usually based on revenue). You are then granted access to specific resources at the large company. In IT, this is usually in the form of internal-use licenses.

In this model, you trust the company to provide you with software that doesn’t steal your data and the company trusts you not to resell your licenses to others or otherwise negatively impact their revenue. So, what happens if the trust model is violated?

Well, there are really two variants. If you break the trust relationship, you will likely be faced with, at minimum, the severing of partnership and, at maximum, legal action. However, if it turns out that the large company is not to be trusted, what can be done? Legal action may not be much of an option, and if you terminate the partnership, how much would it hurt you versus the large company?

Is the partnership fair?

Scenario 2: Trusted people within a business.

In security discussions, the second hardest discussion is trying to convince a client that inside attacks are a real and present danger. Of course, the hardest discussion is after the trusted insider is discovered to have been embezzling money or selling private data, so it’s often worth the time to have the first discussion.

Simply put, businesses don’t function well without trusted internal people. If there are too many rules, work can’t get done. However, the more lax an organization is, the more risk it faces. In time of economic difficulty, this risk increases.

Why? When people don’t get bonuses and raises, they often take it personally. They may be in a position where valuable data (or even just money) passes through every day. They may stop and think “gee, with all this money around, who is going to miss a little tiny bit” then they’ll have the big thought of “besides, they owe me”. Sometimes, they wind up in personal difficulty, and it starts as a little “borrowing” that gets out of control.

This happens all the time: police sergeants, booster club presidents, priests, vice presidents, and more.

Yeah yeah, I know, you’re different, your people can be trusted.

Maybe, maybe not. . . probably not.

Do you have any systems or procedures in place to catch this type of activity?

Conclusion

In the story, Hades and Orpheus had an agreement. Sure, it was an agreement with an odd condition, but that’s not exactly unusual in partnerships. In this case, who was trustworthy and who was not? Also, how were the individuals impacted?

Hades: Got to hear some lovely music.
Orpheus: Lost the love if his live TWICE.

The cost of being untrustworthy is awfully high, isn’t it?

So, what could Orpheus have done differently? Might the agreement have benefited from some additional clarity, so that his nervousness could have been alleviated? Could there have been some procedure or technology used to make it more difficult for him to violate the agreement?

Look at the trust relationships at work within your business. Consider what happens if you wind up being untrustworthy. Consider what happens if your partner isn’t trustworthy.

Is there anything in place to validate and maintain the trust?

Should there be?