Why it might not: a potential (MA based) vendor we’re talking to says

We’ve not been asked this before and about 201 CMR 17 Compliance and I don’t particularly think it applies to our VoIP, or VoIP in general

Why it might: Section 17.04 qualifies the applicability of the rule to

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include…a security system covering its computers, including any wireless system

Like just about any business, we definitely transmit personal information over our phone system, so I think the technical / legal question is whether an electronic phone system of the type in question is covered under the “its computers” phrase.

Stepping back from the legal to the practical, however, it seems fair to expect reasonable information security from our communications systems, including VOIP. At least in its intent, I think that’s what 201 CMR 17 is after. VOIP is still new enough that I suspect many prospective customers (like us!) aren’t quite sure what constitutes a reasonably secure installation, though we sense that there are all kinds of potential attack vectors not present in POTS.

some tidbits:

• 201 CMR may even apply to entities entirely outside of MA, as long as they have any data about Massholes in their systems. So don’t get all smirky in Texas or wherever.
• Who knew? Martha Coakley, as AG, gets credit for helping adjust 201 CMR to work better with business’ realities. That, and her Harpoon preference, really ought to be pushed more strongly by the campaign.
• A useful collection of info can be found at one of the ugliest websites in recent memory.

Fortunately, there doesn’t seem to be anything particularly unreasonable in the requirements, so organizations following good data security procedures shouldn’t have to do much work (if any) to be compliant.

As for me, I still need to do my official audit of our procedures vs. those specified by the regulation.

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.

It’ll be interesting to sit down with this & see how our policies & procedures match up.

From my research, it looks like the necessary pieces are:

• Soekris 4501 & case - $173
• power supply - $11
• 2 GB SanDisk CF - $26
• USB card reader - $12 (to write to the CF card, naturally)
• Null Modem & USB <-> DB9 cable - $27 (no hardware with DB9 around)

So, for about $250 + some shipping, and a bit of fiddling around time, this could be a pretty robust solution. I’m not sure I’d care to work out all the installation and configuration details myself, but there are a couple guides to getting everything up & running. I’ll certainly add my own notes if I go through with this.

First impressions (after noting how unfriendly the UMass campus is to bicycles) were of an absence of buzz. Many vendors hanging around in one room, and then a vendor representative giving a traditional one-way presentation in the next room. After attending a few barcamps, it really seems to me that a more interactive format would benefit everyone involved. This conference was clearly driven by the vendors, but it seems to me that it’d be in their best interests to learn more about their potential customers’  interests and concerns, rather than broadcasting a sales message.

Despite the one-to-manyness, the presentations I made it to varied quite a bit. A few did a good survey of some aspect of security, and then tied that discussion into the vendor’s offerings right at the end. Others were basically just sales pitches. Guess which kind lost more of the audience?

new concepts to me

NAC - Network Admission Control. Folks will sell you systems that go beyond requiring just a username / password combo to get on a given network, by combining checks on device MAC / IP, allowed hours of operation, and presence and activity of specified software. Packetfence looks like a promising open source NAC.

IPS - Intrusion Prevention System. If I’m understanding correctly, these go beyond IDSes by taking some action such as updating firewall rules when naughtiness is detected. It looks like Snort has been able to do this sort of thing for a while, also PF has some related capabilities.

notable speakers

Ming Fu of Lumension introduced me to the concept of thumbsucking — apparently the new hotness in social engineering attacks is to leave USB drives with said software lying about in parking lots, expecting that some percentage will be picked up & plugged in… nasty! Lumension’s tie-in is that they have a product that allows strictly defined device access controls for windows boxes, so you could set up rules that would prevent employee accounts from mounting any USB devices, and only allow admins to mount USB devices already encrypted with your organization’s key.

Ken Pappas of Top Layer Networks gave a high-level rundown on the overall tech security situation, and managed to do it with not an ounce of sales pitch. Authentic confidence is an excellent marketing tool, and Ken’s got that. His early remarks included a shout-out to the Boston chapter of the possibly shooting-to-kill InfraGard. He then went on to summarize the state of security in ‘08, which is basically: not that great. Incidence rates are going up, the range of attackers is increasing in professionalism and skill at the top end and becoming even less sophisticated (i.e. lower barrier to entry) on the low-end with easily available point-and-click tools for launching mail bombs, etc. Those of us responsible for computers attached to networks definitely need to be budgeting some of our time to keep up with the evolving threats, regardless of whether we’re aware of any particular adversary that’s out to get us or our data.

takeaway

It’s important to get away from the daily stream of projects periodically, to think about things from a higher level. Vendory as this conference was, it did give me that opportunity, and I did re-prioritize my TODO list at the end of the day.

The downside: I hadn’t thought through how many calls & emails I was setting myself up for receiving from the conference vendors. FYI, I am 100% of the time never going to spend money with someone who calls me out of the blue and interrupts whatever I’m working on. Send me an email, and I’ll file it for processing at an appropriate time.